diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 618d324c2f3..e745c7adcb4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -93,6 +93,7 @@ /packages/aws_vpcflow_otel @elastic/obs-infraobs-integrations /packages/awsfargate @elastic/obs-infraobs-integrations /packages/awsfirehose @elastic/obs-ds-hosted-services +/packages/axonius @elastic/security-service-integrations /packages/azure @elastic/obs-infraobs-integrations @elastic/obs-ds-hosted-services @elastic/security-service-integrations /packages/azure/data_stream/activitylogs @elastic/obs-infraobs-integrations /packages/azure/data_stream/application_gateway @elastic/security-service-integrations diff --git a/packages/axonius/_dev/build/build.yml b/packages/axonius/_dev/build/build.yml new file mode 100644 index 00000000000..b2596b96490 --- /dev/null +++ b/packages/axonius/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v9.2.0 diff --git a/packages/axonius/_dev/build/docs/README.md b/packages/axonius/_dev/build/docs/README.md new file mode 100644 index 00000000000..4f8c2c71830 --- /dev/null +++ b/packages/axonius/_dev/build/docs/README.md @@ -0,0 +1,143 @@ +# Axonius Integration for Elastic + +## Overview + +[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets including devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies. + +This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana. + +### Compatibility +The Axonius integration is compatible with product version **7.0**. + +### How it works +This integration periodically queries the Axonius API to retrieve logs. + +## What data does this integration collect? +This integration collects log messages of the following type: + +- `Network`: Collect details of all identity assets including: + - networks (endpoint: `/api/v2/networks`) + - load_balancers (endpoint: `/api/v2/load_balancers`) + - network_services (endpoint: `/api/v2/network_services`) + - network_devices (endpoint: `/api/v2/network_devices`) + - firewalls (endpoint: `/api/v2/firewalls`) + - nat_rules (endpoint: `/api/v2/nat_rules`) + - network_routes (endpoint: `/api/v2/network_routes`) + +### Supported use cases + +Integrating the Axonius Network Datastream with Elastic SIEM provides centralized visibility into network assets, traffic exposure, and connectivity across the environment. Kibana dashboards surface key insights into network asset status, device states, and routing behavior, helping analysts quickly understand overall network posture and potential exposure points. + +The dashboards present clear breakdowns of assets by protocol, type, category, and operating system, while metrics highlight publicly exposed and unsafe network devices. Tables provide actionable context around top sources, destinations, subnetworks, routes, locations, and vendors, supporting deeper analysis of network dependencies and communication paths. + +These insights help security teams identify network exposure hotspots, detect misconfigurations or risky assets, and streamline network-focused investigations across the organization. + +## What do I need to use this integration? + +### From Elastic + +This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements. + +### From Axonius + +To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential. + +#### Retrieve URL, API Token and API Secret: + +1. Log in to the **Axonius** instance. +2. Your instance URL is your Base **URL**. +3. Navigate to **User Settings > API Key**. +4. Generate an **API Key**. +5. If you do not see the API Key tab in your user settings, follow these steps: + 1. Go to **System Settings** > **User and Role Management** > **Service Accounts**. + 2. Create a Service Account, and then generate an **API Key**. +6. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration. + +**Note:** +To generate or reset an API key, your role must be **Admin**, and you must have **API Access** permissions, which include **API Access Enabled** and **Reset API Key**. + +## How do I deploy this integration? + +This integration supports both Elastic Agentless-based and Agent-based installations. + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Agentless deployment + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. + +For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) + +### Configure + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **Axonius**. +3. Select the **Axonius** integration from the search results. +4. Select **Add Axonius** to add the integration. +5. Enable and configure only the collection methods which you will use. + + * To **Collect logs from Axonius API**, you'll need to: + + - Configure **URL**, **API Key** and **API Secret**. + - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection. + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Dashboard populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **Axonius**, and verify the dashboard information is populated. + +#### Transforms healthy + +1. In the top search bar in Kibana, search for **Transforms**. +2. Select the **Data / Transforms** from the search results. +3. In the search bar, type **axonius**. +4. All transforms from the search results should indicate **Healthy** under the **Health** column. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### Network + +The `network` data stream provides network events from axonius. + +#### network fields + +{{ fields "network" }} + +{{ event "network" }} + +### Inputs used +{{/* All inputs used by this package will be automatically listed here. */}} +{{ inputDocs }} + +### API usage + +These APIs are used with this integration: + +* Network + * networks (endpoint: `/api/v2/networks`) + * load_balancers (endpoint: `/api/v2/load_balancers`) + * network_services (endpoint: `/api/v2/network_services`) + * network_devices (endpoint: `/api/v2/network_devices`) + * firewalls (endpoint: `/api/v2/firewalls`) + * nat_rules (endpoint: `/api/v2/nat_rules`) + * network_routes (endpoint: `/api/v2/network_routes`) + +#### ILM Policy + +To facilitate network data, source data stream-backed indices `.ds-logs-axonius.network-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-axonius.network-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. diff --git a/packages/axonius/_dev/deploy/docker/docker-compose.yml b/packages/axonius/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..2c44356c631 --- /dev/null +++ b/packages/axonius/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '3.8' +services: + axonius: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: axonius + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config.yml diff --git a/packages/axonius/_dev/deploy/docker/files/config.yml b/packages/axonius/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..be768679468 --- /dev/null +++ b/packages/axonius/_dev/deploy/docker/files/config.yml @@ -0,0 +1,1273 @@ +rules: + - path: /api/v2/assets/networks + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"next_page":"xyz".*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 4 + }, + "next_page": "abcd", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/networks + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 4 + }, + "next_page": "xyz", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/load_balancers + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"next_page":"xyz".*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 4 + }, + "next_page": "abcd", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/load_balancers + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 4 + }, + "next_page": "xyz", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/network_services + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"next_page":"xyz".*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 4 + }, + "next_page": "abcd", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/network_services + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 4 + }, + "next_page": "xyz", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/network_devices + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"next_page":"xyz".*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 3 + }, + "next_page": "abcd", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/network_devices + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 2, + "size": 2, + "totalPages": 2, + "totalResources": 3 + }, + "next_page": "xyz", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/firewalls + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 1, + "size": 0, + "totalPages": 0, + "totalResources": 0 + }, + "next_page": "xyz", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/nat_rules + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [ + { + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "2" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + } + ] + }, + { + "internal_axon_id": "d7d3ed3046767e205f03d59ffd6dfc8a", + "adapters": [ + "azure_adapter" + ], + "adapter_list_length": 1, + "specific_data": [ + { + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "Tue, 16 Dec 2025 00:02:05 GMT", + "application_and_account_name": "azure/azure-demo", + "connected_assets": [ + "subscription_id::139da08c-a8ef-491d-81e2-6e1f099b5a86" + ], + "direction": "Inbound", + "fetch_time": "Tue, 16 Dec 2025 00:02:04 GMT", + "first_fetch_time": "Sun, 14 Dec 2025 16:49:34 GMT", + "from_last_fetch": true, + "id": "a1f2c58c3ae333726dcb", + "id_raw": "5c97838a-8add-45a6-9bcd-f6eacef7821b", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "Log Angeles", + "name": "FTP-ENABLED-AllowedF1fA-", + "not_fetched_count": 0, + "pretty_id": "AX-6328662692982062624", + "priority": 1778, + "protocol": "TCP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "f149a190-ebe7-440b-b370-b052ade5230e", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": [ + "4" + ], + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!a1f2c58c3ae333726dcb", + "type": "entitydata" + } + ] + } + ], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 1, + "size": 2, + "totalPages": 1, + "totalResources": 2 + }, + "next_page": "abcd", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} + + - path: /api/v2/assets/network_routes + methods: ['POST'] + request_headers: + Content-Type: application/json + api-key: xxxx + api-secret: xxxx + request_body: /.*"page":{"limit":2}.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "assets": [], + "meta": { + "cache_last_updated": "Mon, 01 Dec 2025 13:37:38 GMT", + "is_data_from_cache": true, + "page": { + "number": 1, + "size": 0, + "totalPages": 0, + "totalResources": 0 + }, + "next_page": "abcd", + "expand_row": false, + "optimized_view": false, + "relation_fields_data": false + } + } + `}} diff --git a/packages/axonius/changelog.yml b/packages/axonius/changelog.yml new file mode 100644 index 00000000000..a920cdf5b3a --- /dev/null +++ b/packages/axonius/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: 0.1.0 + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/16657 diff --git a/packages/axonius/data_stream/network/_dev/test/pipeline/test-common-config.yml b/packages/axonius/data_stream/network/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/axonius/data_stream/network/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/axonius/data_stream/network/_dev/test/pipeline/test-load-balancer.log b/packages/axonius/data_stream/network/_dev/test/pipeline/test-load-balancer.log new file mode 100644 index 00000000000..258e15fe333 --- /dev/null +++ b/packages/axonius/data_stream/network/_dev/test/pipeline/test-load-balancer.log @@ -0,0 +1 @@ +{"asset_type":"load_balancers","internal_axon_id":"e0801bc31dca58e8ac9e1a7c8918522f","adapters":["aws_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:30 GMT","adapter_categories":["Cloud Infra"],"client_used":"67fd09ab731ccb57309230fc","data":{"source_addresses":["0.0.0.0"],"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:30 GMT","application_and_account_name":"aws\/aws-demo","connected_assets":["account_id::4f62e52c-ecdb-4763-ab79-6f9680a53781","vpc_id::e1dd172a-abd8-493c-b92a-b12c3c48f506","ec2_id::7c2df42e-5321-41ae-9434-47ca92fe0887","ec2_id::ba0de4c8-c1db-4551-96b3-481d4b444bce","ec2_id::1ea41695-efd1-4775-aa8d-6bdb543c2418","ec2_id::e4be22e5-0431-404b-92ed-3bd0b4facc19","ec2_id::69407be4-e4e8-4e1c-838e-5cdc21024895","ec2_id::911eda3a-e6c4-4c16-888a-0980afb9f88e"],"fetch_time":"Thu, 13 Nov 2025 00:02:25 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:26:49 GMT","from_last_fetch":true,"id":"77ad18efd98987e624bd","id_raw":"7af84e70-9fca-4507-a4ae-318129ab23f8","is_fetched_from_adapter":true,"last_fetch_connection_id":"67fd09ab731ccb57309230fc","last_fetch_connection_label":"aws-demo","name":"unified-dev8-3A8bfe710","not_fetched_count":0,"relatable_ids":["elb_dns::7af84e70-9fca-4507-a4ae-318129ab23f8"],"software_cves":[],"source_application":"AWS","tenant_number":["3"],"type":"LoadBalancers"},"initial_plugin_unique_name":"aws_adapter_0","plugin_name":"aws_adapter","plugin_type":"Adapter","plugin_unique_name":"aws_adapter_0","quick_id":"aws_adapter_0!77ad18efd98987e624bd","type":"entitydata"}} diff --git a/packages/axonius/data_stream/network/_dev/test/pipeline/test-load-balancer.log-expected.json b/packages/axonius/data_stream/network/_dev/test/pipeline/test-load-balancer.log-expected.json new file mode 100644 index 00000000000..699a517dc4d --- /dev/null +++ b/packages/axonius/data_stream/network/_dev/test/pipeline/test-load-balancer.log-expected.json @@ -0,0 +1,92 @@ +{ + "expected": [ + { + "@timestamp": "2025-11-13T00:02:30.000Z", + "axonius": { + "network": { + "adapter_list_length": 1, + "adapters": [ + "aws_adapter" + ], + "asset_type": "load_balancers", + "event": { + "accurate_for_datetime": "2025-11-13T00:02:30.000Z", + "adapter_categories": [ + "Cloud Infra" + ], + "client_used": "67fd09ab731ccb57309230fc", + "data": { + "accurate_for_datetime": "2025-11-13T00:02:30.000Z", + "application_and_account_name": "aws/aws-demo", + "connected_assets": [ + "account_id::4f62e52c-ecdb-4763-ab79-6f9680a53781", + "vpc_id::e1dd172a-abd8-493c-b92a-b12c3c48f506", + "ec2_id::7c2df42e-5321-41ae-9434-47ca92fe0887", + "ec2_id::ba0de4c8-c1db-4551-96b3-481d4b444bce", + "ec2_id::1ea41695-efd1-4775-aa8d-6bdb543c2418", + "ec2_id::e4be22e5-0431-404b-92ed-3bd0b4facc19", + "ec2_id::69407be4-e4e8-4e1c-838e-5cdc21024895", + "ec2_id::911eda3a-e6c4-4c16-888a-0980afb9f88e" + ], + "fetch_time": "2025-11-13T00:02:25.000Z", + "first_fetch_time": "2025-04-14T13:26:49.000Z", + "from_last_fetch": true, + "id": "77ad18efd98987e624bd", + "id_raw": "7af84e70-9fca-4507-a4ae-318129ab23f8", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ab731ccb57309230fc", + "last_fetch_connection_label": "aws-demo", + "name": "unified-dev8-3A8bfe710", + "not_fetched_count": 0, + "relatable_ids": [ + "elb_dns::7af84e70-9fca-4507-a4ae-318129ab23f8" + ], + "source_addresses": [ + "0.0.0.0" + ], + "source_application": "AWS", + "tenant_number": [ + "3" + ], + "type": "LoadBalancers" + }, + "initial_plugin_unique_name": "aws_adapter_0", + "plugin_name": "aws_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "aws_adapter_0", + "quick_id": "aws_adapter_0!77ad18efd98987e624bd", + "type": "entitydata" + }, + "internal_axon_id": "e0801bc31dca58e8ac9e1a7c8918522f", + "transform_unique_id": "A2ekfuTgNOL8Kg95htKonXTc8BM=" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "network" + ], + "kind": "event", + "original": "{\"asset_type\":\"load_balancers\",\"internal_axon_id\":\"e0801bc31dca58e8ac9e1a7c8918522f\",\"adapters\":[\"aws_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:30 GMT\",\"adapter_categories\":[\"Cloud Infra\"],\"client_used\":\"67fd09ab731ccb57309230fc\",\"data\":{\"source_addresses\":[\"0.0.0.0\"],\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:30 GMT\",\"application_and_account_name\":\"aws\\/aws-demo\",\"connected_assets\":[\"account_id::4f62e52c-ecdb-4763-ab79-6f9680a53781\",\"vpc_id::e1dd172a-abd8-493c-b92a-b12c3c48f506\",\"ec2_id::7c2df42e-5321-41ae-9434-47ca92fe0887\",\"ec2_id::ba0de4c8-c1db-4551-96b3-481d4b444bce\",\"ec2_id::1ea41695-efd1-4775-aa8d-6bdb543c2418\",\"ec2_id::e4be22e5-0431-404b-92ed-3bd0b4facc19\",\"ec2_id::69407be4-e4e8-4e1c-838e-5cdc21024895\",\"ec2_id::911eda3a-e6c4-4c16-888a-0980afb9f88e\"],\"fetch_time\":\"Thu, 13 Nov 2025 00:02:25 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:26:49 GMT\",\"from_last_fetch\":true,\"id\":\"77ad18efd98987e624bd\",\"id_raw\":\"7af84e70-9fca-4507-a4ae-318129ab23f8\",\"is_fetched_from_adapter\":true,\"last_fetch_connection_id\":\"67fd09ab731ccb57309230fc\",\"last_fetch_connection_label\":\"aws-demo\",\"name\":\"unified-dev8-3A8bfe710\",\"not_fetched_count\":0,\"relatable_ids\":[\"elb_dns::7af84e70-9fca-4507-a4ae-318129ab23f8\"],\"software_cves\":[],\"source_application\":\"AWS\",\"tenant_number\":[\"3\"],\"type\":\"LoadBalancers\"},\"initial_plugin_unique_name\":\"aws_adapter_0\",\"plugin_name\":\"aws_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"aws_adapter_0\",\"quick_id\":\"aws_adapter_0!77ad18efd98987e624bd\",\"type\":\"entitydata\"}}", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "source": { + "address": [ + "0.0.0.0" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + } + ] +} diff --git a/packages/axonius/data_stream/network/_dev/test/pipeline/test-network-device.log b/packages/axonius/data_stream/network/_dev/test/pipeline/test-network-device.log new file mode 100644 index 00000000000..f5e7a0151cd --- /dev/null +++ b/packages/axonius/data_stream/network/_dev/test/pipeline/test-network-device.log @@ -0,0 +1 @@ +{"asset_type":"network_devices","labels":["Hugo Martinez"],"event":{"action_if_exists":"update","associated_adapter_plugin_name":"chef_adapter","associated_adapters":[["chef_adapter_0","esx-monitor1871068-stg.healthcare-subsidiary.com"]],"association_type":"Tag","accurate_for_datetime":"Wed, 12 Nov 2025 00:02:19 GMT","adapter_categories":["Cloud Infra","Containers","Virtualization"],"client_used":"67fd09bdfe1c8e812a176bbd","initial_plugin_unique_name":"chef_adapter_0","plugin_name":"chef_adapter","plugin_type":"Adapter","plugin_unique_name":"chef_adapter_0","quick_id":"chef_adapter_0!esx-monitor1871068-stg.healthcare-subsidiary.com","type":"entitydata","data":{"id":"c43154e05d9935b4de68","__fields_to_unset__":["owner","uptime","uptime_hours"],"_keep_hostname_empty":true,"adapter_properties":[],"agent_version":"2.1.1590","agent_versions":[{"adapter_name":"SentinelOne Agent","agent_version":"23.2.6.7122","agent_version_raw":"000000023000000020000000600007122"}],"all_associated_email_addresses":["henry.woodruff@demo.local"],"anti_malware_agent_status":"active","anti_malware_agent_status_message":"On, Real Time","anti_malware_state":"off","arp_interface":"office-vlan","arp_port":"ae1","arp_status":"c","arp_ttl":1510,"assessed_for_policies":true,"assessed_for_vulnerabilities":true,"asset_install_status":"In use","asset_tag":"3445237","asset_user_name":"henry.woodruff@demo.local","associated_device_users":[{"internal_axon_id":[],"is_latest_used_user":true,"last_used_departments":[],"last_used_email":[],"last_used_email_domain":[],"last_used_user_manager":[]}],"associated_saas_applications":[{"internal_axon_id":[],"name":[]}],"axon_id":"7928b5563fb67d158340a5ccb0dbedd8","axonius_instance_name":"Primary","browsers":[{"channel":"STABLE","version":"134.0.6998.45"}],"category":"Hardware","certificate_expiry_date":"Mon,06 Dec 2018 19:11:27 GMT","chrome_device_type":"Chrome Browser Device","cisa_vulnerabilities":[{"action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","added":"2024-06-13","cve_id":"CVE-2024-4358","desc":"Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.","due_date":"2024-07-04","notes":"https:\/\/docs.telerik.com\/report-server\/knowledge-base\/registration-auth-bypass-cve-2024-4358; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-4358","product":"Telerik Report Server","used_in_ransomware":false,"vendor":"Progress","vulnerability_name":"Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability"}],"class_name":"cmdb_ci_vm","class_title":"cmdb_ci_vm","class_type":"IT","cloud_provider_account_id":"cebfd225-6a4a-401c-8f18-8d813ff66fee","cmdb_business_applications":[{"app_owner":"Fay Williams","assignment_group":"DevOps","business_criticality":"Low","install_status":"Installed","managed_by":"Vanessa Cunningham","name":"Payroll","number":"OMI0368488","u_architect":"","u_availability_criticality":"Medium","u_confidentiality_criticality":"None","u_crown_jewel":true,"u_integrity_criticality":"Low","u_privacy_criticality":"High"}],"color":"white","common_users":["ronald.mays@demo.local"],"company":"ACME Australia","confidence_level":100,"connected_devices":[],"cp_type":"host","cpus":[{"cores":6,"ghz":4.3,"manufacturer":"GenuineIntel","name":"Intel(R) Core(TM) i5-10400"}],"criticality":"Low","custom_risk_owner":"Internal IT: Computers","data_center":"Netherlands (AM Top)","device_manufacturer":"intel","device_serial":"85584A471A1FEDBF","device_state":"Offline","device_type":"Host","disk_encryption_configuration":"Individual Recovery Key","domain":"healthcare-subsidiary.com","entity_id":"b1c4911d-30aa-4150-8fcb-f46a1ae4b543","environment":"testing","epo_host":"mcafee.demo.local","epo_id":"0190BB31-2AB1-40ED-99E0-312AD935B3CC","epo_products":["McAfee Agent"],"excluded_software_cves":[],"external_cloud_account_id":"24690c9d-fb67-4b1b-a78b-43da4c1b9b2d","external_ip":"10.0.60.215","external_nat_ip":"81.2.69.142","fetch_proto":"ARP","fingerprint":"Os x Machine","firewall_enabled":true,"firewall_rules":[],"fqdn":"esx-monitor1871068-stg.healthcare-subsidiary.com","free_physical_memory":3,"general":[{"extension_name":"Bootstrap","extension_value":"YES"}],"generic_encryption":[{"status":true}],"ghost":false,"guest_dns_name":"esx-web5259645-dev.demo.local","guest_family":"linuxGuest","guest_name":"Linux Centos 7","guest_state":"notRunning","hard_drives":{"free_size":64,"is_encrypted":true,"total_size":256},"hardware_status":"Installed","hostname":"esx-monitor1871068-stg.healthcare-subsidiary.com","in_groups":["CounterACT Devices - CORP"],"install_status":"In use","installed_software":[{"generated_cpe":"cpe:2.3:a:nginx:nginx:1.20.1:*:*:*:*:-:*:*","name":"perl","name_version":"perl-5.32.1","sw_uid":"perl:perl","vendor":"nginx","vendor_publisher":"","version":"5.32.1","version_raw":"0000000050000003200000001"}],"ip_address_guid":"40a3583f-2efc-4635-ab19-c6c27d3ef151","is_authenticated_scan":true,"is_fragile":false,"is_latest_last_seen":true,"is_managed":true,"is_network_infra_device":true,"is_purchased":false,"is_safe":true,"jamf_groups":["Last Check-in < 90 Days (All Sites)","FileVault - Boot Partitions Encrypted"],"jamf_groups_detailed":[{"group_id":940,"group_name":"Jamf Connect - Password Synced","smart_group":true}],"jamf_id":9172433,"jamf_location":{"building":"NYAX-1027","email_address":"henry.woodruff@demo.local","phone_number":"-4133","position":"Research & Develop","real_name":"Woodruff, Henry","room":168,"username":"henry.woodruff@demo.local"},"jamf_version":"10.37.0-t1647292853","last_agent_import":"Wed, 12 Nov 2025 00:02:18 GMT","last_auth_run":"Wed, 12 Nov 2025 00:02:18 GMT","last_contact_time":"Wed, 12 Nov 2025 00:02:18 GMT","last_enrolled_date_utc":"Wed, 12 Nov 2025 00:02:18 GMT","last_scan":"Wed, 12 Nov 2025 00:02:18 GMT","last_seen_agents":"Wed, 12 Nov 2025 00:02:18 GMT","last_unauth_run":"Wed, 12 Nov 2025 00:02:18 GMT","last_used_users":["sherri.campbell@demo.local"],"last_used_users_departments_association":["Customer Success"],"last_used_users_email_domain_association":["demo.local"],"last_used_users_internal_axon_id_association":["8227b6e961cf0ee129dbc29e6a985746"],"last_used_users_mail_association":["henry.woodruff@demo.local"],"last_used_users_user_manager_association":["dennis.harrison@demo.local"],"last_used_users_user_manager_mail_association":["dennis.harrison@demo.local"],"last_used_users_user_status_association":["ACTIVE","active"],"last_used_users_user_title_association":["Customer Success Team Leader"],"latest_used_user":"henry.woodruff@demo.local","latest_used_user_department":"Customer Success","latest_used_user_email_domain":"demo.local","latest_used_user_mail":"henry.woodruff@demo.local","latest_used_user_user_manager":"dennis.harrison@demo.local","latest_used_user_user_status":"ACTIVE","latest_used_user_user_title":"Customer Success Team Leader","linked_tickets":[{"category":"Inquiry \/ Help","created":"Thu, 01 Aug 2024 03:10:27 GMT","description":"Program takes too long to run - Please take care of this","display_id":"INC8652441","priority":"1 - Critical","reporter":"Julie Donohue","status":"Pending","summary":"Program takes too long to run","updated":"Thu, 01 Aug 2024 03:10:27 GMT"}],"lock":"unlocked","meeting_id":"88241487032","microphone":"WH-CH510","nat_policy_ips":[{"address":"172.16.17.68","direction":"translated-destination","matched_on":"original-destination","policy_name":"INTERNET_POLICY","rule_num":176,"uid":"2eef8776-884f-42b5-9d3f-92e0ea392fc4"}],"network":"Demo Network","network_interfaces":[{"ips":["10.0.60.215"],"ips_raw":[167787735],"ips_v4":["10.0.60.215"],"ips_v4_raw":[167787735],"mac":"00:0C:29:12:52:47","manufacturer":"(VMware, Inc.)","subnets":["10.0.0.0\/12","10.0.0.0\/16"]}],"network_status":"connected","network_type":"Wifi","nexpose_id":83901,"nexpose_type":"physical","node_id":"2468_web5259645-dev","node_name":"web5259645-dev","normalization_reasons":[{"calculated_time":"Sat, 12 Apr 2025 22:59:20 GMT","key":"normalized_invalid_macs","original":["000C29124E58"],"reason":"000C29125247 - non-correlative hardware - By MAC Normalizer"}],"open_ports":[{"port_id":22,"protocol":"TCP"}],"operational_status":"Operational","organizational_unit":"","os":{"codename":"Monterey","distribution":"Red Hat 8","distribution_name":"Red Hat","end_of_life":"Sat, 12 Apr 2025 22:59:20 GMT","end_of_support":"Sat, 12 Apr 2025 22:59:20 GMT","is_end_of_life":false,"is_end_of_support":true,"is_latest_os_version":false,"is_windows_server":false,"latest_os_version":"9.5","major":8,"minor":5,"os_cpe":"cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*","os_dotted":8,"os_dotted_raw":8,"os_str":"rhel 8","type":"Linux","type_distribution":"Linux Red Hat 8"},"os_ext_attributes":[{"attr_name":"Root User","data_type":"STRING","definition_id":168,"ext_description":"Is root user enabled or disabled?","input_type":"SCRIPT","is_enabled":true,"is_multivalue":false,"values":[]}],"owner":"henry.woodruff@demo.local","paloalto_device_type":"ARP","part_of_domain":true,"physical_location":"Pune","physical_memory_percentage":90.625,"plugin_and_severities":[{"cpe":"cpe:\/a:openssl:openssl","cve":"CVE-2024-6996","cvss_base_score":4.81,"days_seen":234,"exploit_available":false,"family":{"id":23,"name":"General"},"first_found":"Sat, 12 Apr 2025 22:59:20 GMT","first_seen":"Sat, 12 Apr 2025 22:59:20 GMT","has_been_mitigated":false,"has_patch":false,"last_fixed":"Sat, 12 Apr 2025 22:59:20 GMT","last_found":"Sat, 12 Apr 2025 22:59:20 GMT","last_seen":"Sat, 12 Apr 2025 22:59:20 GMT","mitigated":false,"nessus_instance":{"credentialed_check":"yes (on the localhost)","display_superseded_patches":true,"experimental_tests":false,"patch_management_checks":"None","plugin_feed_version":792392186379,"report_verbosity":1,"safe_check":true,"scan_name":"Nessus Agent default san","scan_policy_used":"Collect Inventory","scan_type":"Unix Agent","scanner_edition_used":"Nessus","scanner_ip":"127.0.0.1","thorough_tests":false,"version":"10.5.1"},"patch_publication_date":"Sat, 12 Apr 2025 22:59:20 GMT","plugin":"CVE-2024-6996_PLUGIN","plugin_id":156057,"plugin_id_number":156057,"severity":"high","severity_modification_type":"NONE","solution":"Disable IPv6 if you are not actually using it. Otherwise, disable any unused IPv6 interfaces.","state":"ACTIVE","unsupported_by_vendor":false,"vpr_score":1.77,"vuln_state":"Opened"}],"policy_id":"fec858b9-ffad-46c7-b3e2-0042ea8143a8","policy_name":"8271748d71-2a25-91fd-8f87a89b976c32-122319\/Basic Network Scan","power_state":"TurnedOn","ranger_version":"21.11.0.75","raw_hostname":"esx-monitor1871068-stg.healthcare-subsidiary.com","read_only":true,"recording":true,"relative_path":"bf952f98-7d40-4ff2-81d0-8794f3a08256","report_date":"Fri, 11 Apr 2025 06:18:17 GMT","resource_group":"Devices","risk_level":"none","scan_results":["Axonius Demo - Agents","Axonius Demo - Agents","Manufacturing - OT"],"scan_results_objs":[{"id":6174,"name":"Axonius Demo - Agents","status":"Completed"}],"scanner":true,"security_updates_last_changed":"Fri, 11 Apr 2025 06:18:17 GMT","security_updates_status":"active","services":[],"severity_critical":0,"severity_high":0,"severity_info":67,"severity_low":0,"severity_medium":0,"share_application":false,"share_desktop":true,"share_whiteboard":false,"sip_status":true,"site_name":"Jerusalem","software_cves":[{"axonius_risk_score":4.98,"axonius_status":"Open","axonius_status_last_update":"11 Apr 2025 06:18:17 GMT","custom_software_cves_business_unit":"Infra: On-Prem (bare metal)","cve_from_sw_analysis":true,"cve_id":"CVE-2024-4358","cve_list":[],"cve_severity":"CRITICAL","cve_synopsis":"Discovered closed port on the host (reachable without firewalling).","cvss":9.8,"cvss2_score":9.8,"cvss2_score_num":9.8,"cvss3_score":7,"cvss3_score_num":7,"cvss4_score":5.5,"cvss4_score_num":5.5,"cvss_str":"CVSS 9.8","cvss_vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","cvss_version":"v3.0","cwe_id":"","epss":{"creation_date":"11 Apr 2025 06:18:17 GMT","cve_id":"CVE-2016-10010","percentile":0.24268,"score":0.0008},"exploitability_score":3.9,"first_fetch_time":"11 Apr 2025 06:18:17 GMT","hash_id":"4kpAtLKz2YMqXtns","impact_score":5.9,"last_fetch_time":"11 Apr 2025 06:18:17 GMT","last_modified_date":"11 Apr 2025 06:18:17 GMT","mitigated":false,"msrc":{"creation_date":"Tue","cve_id":"CVE-2024-32021","title":"CVE-2024-32021"},"nvd_publish_age":3232,"publish_date":"11 Apr 2025 06:18:17 GMT","software_name":"Web Help Desk","software_type":"Application","software_vendor":"SolarWinds","software_version":"12.8.1","solution_hash_id":"1lCfLMyv4gV3dPO5","version_raw":"0000000120000000800000001"}],"speaker":"Logi USB Headset","special_hint":0,"special_hint_underscore":"rInternal","subnet_tag":"VLAN Jerusalem","swap_free":8.4,"swap_total":14,"sys_id":"ddfdcdfddfad8f4e475a653c515cb0be","table_type":"vm","tenant_tag":"AXONDEMO","threat_level":"High-High","threats":[],"total":67,"total_number_of_cores":6,"total_physical_memory":32,"u_business_owner":"Brady Allen","u_business_unit":"Sales","uniq_sites_count":47,"uri":"swis:\/\/esx-web5259645-dev.demo.local\/Orion\/Orion.Nodes\/NodeID=2468","uuid":"0e3a686a-79d6-43c4-a09f-08f5330fb198","vendor":"intel","virtual_host":true,"vm_status":"Suspended","vm_type":"lxc","vpn_domain":"esx-externalmongo-5344437-prd.manufacturing.com","vpn_is_local":true,"vpn_lifetime":43200,"vpn_public_ip":"0.0.0.0","vpn_tunnel_type":"SSL","vpn_type":"Device Level VPN","z_sys_class_name":"cmdb_ci_vm","z_table_hierarchy":[{"name":"cmdb_ci_vm"}],"zoom_ip":"0.0.0.0"}},"event.enrichment_type":"cve","event.entity":"devices","event.hidden_for_gui":true,"event.name":"cisa_enrichment_0"} diff --git a/packages/axonius/data_stream/network/_dev/test/pipeline/test-network-device.log-expected.json b/packages/axonius/data_stream/network/_dev/test/pipeline/test-network-device.log-expected.json new file mode 100644 index 00000000000..7cb3ee0a04a --- /dev/null +++ b/packages/axonius/data_stream/network/_dev/test/pipeline/test-network-device.log-expected.json @@ -0,0 +1,625 @@ +{ + "expected": [ + { + "@timestamp": "2025-11-12T00:02:19.000Z", + "axonius": { + "network": { + "asset_type": "network_devices", + "event": { + "accurate_for_datetime": "2025-11-12T00:02:19.000Z", + "action_if_exists": "update", + "adapter_categories": [ + "Cloud Infra", + "Containers", + "Virtualization" + ], + "associated_adapter_plugin_name": "chef_adapter", + "association_type": "Tag", + "client_used": "67fd09bdfe1c8e812a176bbd", + "data": { + "_keep_hostname_empty": true, + "agent_version": "2.1.1590", + "agent_versions": [ + { + "adapter_name": "SentinelOne Agent", + "agent_version": "23.2.6.7122", + "agent_version_raw": "000000023000000020000000600007122" + } + ], + "all_associated_email_addresses": [ + "henry.woodruff@demo.local" + ], + "anti_malware_agent_status": "active", + "anti_malware_agent_status_message": "On, Real Time", + "anti_malware_state": "off", + "arp_interface": "office-vlan", + "arp_port": "ae1", + "arp_status": "c", + "arp_ttl": 1510, + "assessed_for_policies": true, + "assessed_for_vulnerabilities": true, + "asset_install_status": "In use", + "asset_tag": "3445237", + "asset_user_name": "henry.woodruff@demo.local", + "associated_device_users": [ + { + "is_latest_used_user": true + } + ], + "axon_id": "7928b5563fb67d158340a5ccb0dbedd8", + "axonius_instance_name": "Primary", + "browsers": [ + { + "channel": "STABLE", + "version": "134.0.6998.45" + } + ], + "category": "Hardware", + "certificate_expiry_date": "2018-12-06T19:11:27.000Z", + "chrome_device_type": "Chrome Browser Device", + "cisa_vulnerabilities": [ + { + "action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", + "added": "2024-06-13T00:00:00.000Z", + "cve_id": "CVE-2024-4358", + "desc": "Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.", + "due_date": "2024-07-04T00:00:00.000Z", + "notes": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358; https://nvd.nist.gov/vuln/detail/CVE-2024-4358", + "product": "Telerik Report Server", + "used_in_ransomware": false, + "vendor": "Progress", + "vulnerability_name": "Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability" + } + ], + "class_name": "cmdb_ci_vm", + "class_title": "cmdb_ci_vm", + "class_type": "IT", + "cloud_provider_account_id": "cebfd225-6a4a-401c-8f18-8d813ff66fee", + "cmdb_business_applications": [ + { + "app_owner": "Fay Williams", + "assignment_group": "DevOps", + "business_criticality": "Low", + "install_status": "Installed", + "managed_by": "Vanessa Cunningham", + "name": "Payroll", + "number": "OMI0368488", + "u_availability_criticality": "Medium", + "u_confidentiality_criticality": "None", + "u_crown_jewel": true, + "u_integrity_criticality": "Low", + "u_privacy_criticality": "High" + } + ], + "color": "white", + "common_users": [ + "ronald.mays@demo.local" + ], + "company": "ACME Australia", + "confidence_level": 100, + "cp_type": "host", + "cpus": [ + { + "cores": 6, + "ghz": 4.3, + "manufacturer": "GenuineIntel", + "name": "Intel(R) Core(TM) i5-10400" + } + ], + "criticality": "Low", + "custom_risk_owner": "Internal IT: Computers", + "data_center": "Netherlands (AM Top)", + "device_manufacturer": "intel", + "device_serial": "85584A471A1FEDBF", + "device_state": "Offline", + "device_type": "Host", + "disk_encryption_configuration": "Individual Recovery Key", + "domain": "healthcare-subsidiary.com", + "entity_id": "b1c4911d-30aa-4150-8fcb-f46a1ae4b543", + "environment": "testing", + "epo_host": "mcafee.demo.local", + "epo_id": "0190BB31-2AB1-40ED-99E0-312AD935B3CC", + "epo_products": [ + "McAfee Agent" + ], + "external_cloud_account_id": "24690c9d-fb67-4b1b-a78b-43da4c1b9b2d", + "external_ip": "10.0.60.215", + "external_nat_ip": "81.2.69.142", + "fetch_proto": "ARP", + "fields_to_unset": [ + "owner", + "uptime", + "uptime_hours" + ], + "fingerprint": "Os x Machine", + "firewall_enabled": true, + "fqdn": "esx-monitor1871068-stg.healthcare-subsidiary.com", + "free_physical_memory": 3.0, + "general": [ + { + "extension_name": "Bootstrap", + "extension_value": "YES" + } + ], + "generic_encryption": [ + { + "status": true + } + ], + "ghost": false, + "guest_dns_name": "esx-web5259645-dev.demo.local", + "guest_family": "linuxGuest", + "guest_name": "Linux Centos 7", + "guest_state": "notRunning", + "hard_drives": { + "free_size": 64.0, + "is_encrypted": true, + "total_size": 256.0 + }, + "hardware_status": "Installed", + "hostname": "esx-monitor1871068-stg.healthcare-subsidiary.com", + "id": "c43154e05d9935b4de68", + "in_groups": [ + "CounterACT Devices - CORP" + ], + "install_status": "In use", + "installed_software": [ + { + "generated_cpe": "cpe:2.3:a:nginx:nginx:1.20.1:*:*:*:*:-:*:*", + "name": "perl", + "name_version": "perl-5.32.1", + "sw_uid": "perl:perl", + "vendor": "nginx", + "version": "5.32.1", + "version_raw": "0000000050000003200000001" + } + ], + "ip_address_guid": "40a3583f-2efc-4635-ab19-c6c27d3ef151", + "is_authenticated_scan": true, + "is_fragile": false, + "is_latest_last_seen": true, + "is_managed": true, + "is_network_infra_device": true, + "is_purchased": false, + "is_safe": true, + "jamf_groups": [ + "Last Check-in < 90 Days (All Sites)", + "FileVault - Boot Partitions Encrypted" + ], + "jamf_groups_detailed": [ + { + "group_id": "940", + "group_name": "Jamf Connect - Password Synced", + "smart_group": true + } + ], + "jamf_id": "9172433", + "jamf_location": { + "building": "NYAX-1027", + "email_address": "henry.woodruff@demo.local", + "phone_number": "-4133", + "position": "Research & Develop", + "real_name": "Woodruff, Henry", + "room": 168, + "username": "henry.woodruff@demo.local" + }, + "jamf_version": "10.37.0-t1647292853", + "last_agent_import": "2025-11-12T00:02:18.000Z", + "last_auth_run": "2025-11-12T00:02:18.000Z", + "last_contact_time": "2025-11-12T00:02:18.000Z", + "last_enrolled_date_utc": "2025-11-12T00:02:18.000Z", + "last_scan": "2025-11-12T00:02:18.000Z", + "last_seen_agents": "2025-11-12T00:02:18.000Z", + "last_unauth_run": "2025-11-12T00:02:18.000Z", + "last_used_users": [ + "sherri.campbell@demo.local" + ], + "last_used_users_departments_association": [ + "Customer Success" + ], + "last_used_users_email_domain_association": [ + "demo.local" + ], + "last_used_users_internal_axon_id_association": [ + "8227b6e961cf0ee129dbc29e6a985746" + ], + "last_used_users_mail_association": [ + "henry.woodruff@demo.local" + ], + "last_used_users_user_manager_association": [ + "dennis.harrison@demo.local" + ], + "last_used_users_user_manager_mail_association": [ + "dennis.harrison@demo.local" + ], + "last_used_users_user_status_association": [ + "ACTIVE", + "active" + ], + "last_used_users_user_title_association": [ + "Customer Success Team Leader" + ], + "latest_used_user": "henry.woodruff@demo.local", + "latest_used_user_department": "Customer Success", + "latest_used_user_email_domain": "demo.local", + "latest_used_user_mail": "henry.woodruff@demo.local", + "latest_used_user_user_manager": "dennis.harrison@demo.local", + "latest_used_user_user_status": "ACTIVE", + "latest_used_user_user_title": "Customer Success Team Leader", + "linked_tickets": [ + { + "category": "Inquiry / Help", + "created": "2024-08-01T03:10:27.000Z", + "description": "Program takes too long to run - Please take care of this", + "display_id": "INC8652441", + "priority": "1 - Critical", + "reporter": "Julie Donohue", + "status": "Pending", + "summary": "Program takes too long to run", + "updated": "2024-08-01T03:10:27.000Z" + } + ], + "lock": "unlocked", + "meeting_id": "88241487032", + "microphone": "WH-CH510", + "nat_policy_ips": [ + { + "address": "172.16.17.68", + "direction": "translated-destination", + "matched_on": "original-destination", + "policy_name": "INTERNET_POLICY", + "rule_num": 176, + "uid": "2eef8776-884f-42b5-9d3f-92e0ea392fc4" + } + ], + "network": "Demo Network", + "network_interfaces": [ + { + "ips": [ + "10.0.60.215" + ], + "ips_raw": [ + 167787735 + ], + "ips_v4": [ + "10.0.60.215" + ], + "ips_v4_raw": [ + 167787735 + ], + "mac": "00-0C-29-12-52-47", + "manufacturer": "(VMware, Inc.)", + "subnets": [ + "10.0.0.0/12", + "10.0.0.0/16" + ] + } + ], + "network_status": "connected", + "network_type": "Wifi", + "nexpose_id": "83901", + "nexpose_type": "physical", + "node_id": "2468_web5259645-dev", + "node_name": "web5259645-dev", + "normalization_reasons": [ + { + "calculated_time": "2025-04-12T22:59:20.000Z", + "key": "normalized_invalid_macs", + "original": [ + "000C29124E58" + ], + "reason": "000C29125247 - non-correlative hardware - By MAC Normalizer" + } + ], + "open_ports": [ + { + "port_id": "22", + "protocol": "TCP" + } + ], + "operational_status": "Operational", + "os": { + "codename": "Monterey", + "distribution": "Red Hat 8", + "distribution_name": "Red Hat", + "end_of_life": "2025-04-12T22:59:20.000Z", + "end_of_support": "2025-04-12T22:59:20.000Z", + "is_end_of_life": false, + "is_end_of_support": true, + "is_latest_os_version": false, + "is_windows_server": false, + "latest_os_version": "9.5", + "major": 8, + "minor": 5, + "os_cpe": "cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*", + "os_dotted": "8", + "os_dotted_raw": 8, + "os_str": "rhel 8", + "type": "Linux", + "type_distribution": "Linux Red Hat 8" + }, + "os_ext_attributes": [ + { + "attr_name": "Root User", + "data_type": "STRING", + "definition_id": "168", + "ext_description": "Is root user enabled or disabled?", + "input_type": "SCRIPT", + "is_enabled": true, + "is_multivalue": false + } + ], + "owner": "henry.woodruff@demo.local", + "paloalto_device_type": "ARP", + "part_of_domain": true, + "physical_location": "Pune", + "physical_memory_percentage": 90.625, + "plugin_and_severities": [ + { + "cpe": "cpe:/a:openssl:openssl", + "cve": "CVE-2024-6996", + "cvss_base_score": 4.81, + "days_seen": 234, + "exploit_available": false, + "family": { + "id": "23", + "name": "General" + }, + "first_found": "2025-04-12T22:59:20.000Z", + "first_seen": "2025-04-12T22:59:20.000Z", + "has_been_mitigated": false, + "has_patch": false, + "last_fixed": "2025-04-12T22:59:20.000Z", + "last_found": "2025-04-12T22:59:20.000Z", + "last_seen": "2025-04-12T22:59:20.000Z", + "mitigated": false, + "nessus_instance": { + "credentialed_check": "yes (on the localhost)", + "display_superseded_patches": true, + "experimental_tests": false, + "patch_management_checks": "None", + "plugin_feed_version": "792392186379", + "report_verbosity": 1, + "safe_check": true, + "scan_name": "Nessus Agent default san", + "scan_policy_used": "Collect Inventory", + "scan_type": "Unix Agent", + "scanner_edition_used": "Nessus", + "scanner_ip": "127.0.0.1", + "thorough_tests": false, + "version": "10.5.1" + }, + "patch_publication_date": "2025-04-12T22:59:20.000Z", + "plugin": "CVE-2024-6996_PLUGIN", + "plugin_id": "156057", + "plugin_id_number": "156057", + "severity": "high", + "severity_modification_type": "NONE", + "solution": "Disable IPv6 if you are not actually using it. Otherwise, disable any unused IPv6 interfaces.", + "state": "ACTIVE", + "unsupported_by_vendor": false, + "vpr_score": 1.77, + "vuln_state": "Opened" + } + ], + "policy_id": "fec858b9-ffad-46c7-b3e2-0042ea8143a8", + "policy_name": "8271748d71-2a25-91fd-8f87a89b976c32-122319/Basic Network Scan", + "power_state": "TurnedOn", + "ranger_version": "21.11.0.75", + "raw_hostname": "esx-monitor1871068-stg.healthcare-subsidiary.com", + "read_only": true, + "recording": true, + "relative_path": "bf952f98-7d40-4ff2-81d0-8794f3a08256", + "report_date": "2025-04-11T06:18:17.000Z", + "resource_group": "Devices", + "risk_level_value": "none", + "scan_results": [ + "Axonius Demo - Agents", + "Axonius Demo - Agents", + "Manufacturing - OT" + ], + "scan_results_objs": [ + { + "id": "6174", + "name": "Axonius Demo - Agents", + "status": "Completed" + } + ], + "scanner": true, + "security_updates_last_changed": "2025-04-11T06:18:17.000Z", + "security_updates_status": "active", + "severity_critical": 0, + "severity_high": 0, + "severity_info": 67, + "severity_low": 0, + "severity_medium": 0, + "share_application": false, + "share_desktop": true, + "share_whiteboard": false, + "sip_status": true, + "site_name": "Jerusalem", + "software_cves": [ + { + "axonius_risk_score": 4.98, + "axonius_status": "Open", + "custom_software_cves_business_unit": "Infra: On-Prem (bare metal)", + "cve_from_sw_analysis": true, + "cve_id": "CVE-2024-4358", + "cve_severity": "CRITICAL", + "cve_synopsis": "Discovered closed port on the host (reachable without firewalling).", + "cvss": 9.8, + "cvss2_score": 9.8, + "cvss2_score_num": 9.8, + "cvss3_score": 7.0, + "cvss3_score_num": 7.0, + "cvss4_score": 5.5, + "cvss4_score_num": 5.5, + "cvss_str": "CVSS 9.8", + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvss_version": "v3.0", + "epss": { + "cve_id": "CVE-2016-10010", + "percentile": 0.24268, + "score": 8.0E-4 + }, + "exploitability_score": 3.9, + "hash_id": "4kpAtLKz2YMqXtns", + "impact_score": 5.9, + "mitigated": false, + "msrc": { + "creation_date": "Tue", + "cve_id": "CVE-2024-32021", + "title": "CVE-2024-32021" + }, + "nvd_publish_age": 3232, + "software_name": "Web Help Desk", + "software_type": "Application", + "software_vendor": "SolarWinds", + "software_version": "12.8.1", + "solution_hash_id": "1lCfLMyv4gV3dPO5", + "version_raw": "0000000120000000800000001" + } + ], + "speaker": "Logi USB Headset", + "special_hint": 0, + "special_hint_underscore": "rInternal", + "subnet_tag": "VLAN Jerusalem", + "swap_free": 8.4, + "swap_total": 14.0, + "sys_id": "ddfdcdfddfad8f4e475a653c515cb0be", + "table_type": "vm", + "tenant_tag": "AXONDEMO", + "threat_level": "High-High", + "total": 67, + "total_number_of_cores": 6, + "total_physical_memory": 32.0, + "u_business_owner": "Brady Allen", + "u_business_unit": "Sales", + "uniq_sites_count": 47, + "uri": "swis://esx-web5259645-dev.demo.local/Orion/Orion.Nodes/NodeID=2468", + "uuid": "0e3a686a-79d6-43c4-a09f-08f5330fb198", + "vendor": "intel", + "virtual_host": true, + "vm_status": "Suspended", + "vm_type": "lxc", + "vpn_domain": "esx-externalmongo-5344437-prd.manufacturing.com", + "vpn_is_local": true, + "vpn_lifetime": 43200, + "vpn_public_ip": "0.0.0.0", + "vpn_tunnel_type": "SSL", + "vpn_type": "Device Level VPN", + "z_sys_class_name": "cmdb_ci_vm", + "z_table_hierarchy": [ + { + "name": "cmdb_ci_vm" + } + ], + "zoom_ip": "0.0.0.0" + }, + "initial_plugin_unique_name": "chef_adapter_0", + "plugin_name": "chef_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "chef_adapter_0", + "quick_id": "chef_adapter_0!esx-monitor1871068-stg.healthcare-subsidiary.com", + "type": "entitydata" + }, + "labels": [ + "Hugo Martinez" + ], + "transform_unique_id": "elBxji43jmPp5MHu5wfESrGUPrg=" + } + }, + "cloud": { + "account": { + "id": "cebfd225-6a4a-401c-8f18-8d813ff66fee" + } + }, + "device": { + "manufacturer": "intel", + "serial_number": "85584A471A1FEDBF", + "type": "Host" + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "update", + "category": [ + "network", + "vulnerability" + ], + "kind": "event", + "original": "{\"asset_type\":\"network_devices\",\"labels\":[\"Hugo Martinez\"],\"event\":{\"action_if_exists\":\"update\",\"associated_adapter_plugin_name\":\"chef_adapter\",\"associated_adapters\":[[\"chef_adapter_0\",\"esx-monitor1871068-stg.healthcare-subsidiary.com\"]],\"association_type\":\"Tag\",\"accurate_for_datetime\":\"Wed, 12 Nov 2025 00:02:19 GMT\",\"adapter_categories\":[\"Cloud Infra\",\"Containers\",\"Virtualization\"],\"client_used\":\"67fd09bdfe1c8e812a176bbd\",\"initial_plugin_unique_name\":\"chef_adapter_0\",\"plugin_name\":\"chef_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"chef_adapter_0\",\"quick_id\":\"chef_adapter_0!esx-monitor1871068-stg.healthcare-subsidiary.com\",\"type\":\"entitydata\",\"data\":{\"id\":\"c43154e05d9935b4de68\",\"__fields_to_unset__\":[\"owner\",\"uptime\",\"uptime_hours\"],\"_keep_hostname_empty\":true,\"adapter_properties\":[],\"agent_version\":\"2.1.1590\",\"agent_versions\":[{\"adapter_name\":\"SentinelOne Agent\",\"agent_version\":\"23.2.6.7122\",\"agent_version_raw\":\"000000023000000020000000600007122\"}],\"all_associated_email_addresses\":[\"henry.woodruff@demo.local\"],\"anti_malware_agent_status\":\"active\",\"anti_malware_agent_status_message\":\"On, Real Time\",\"anti_malware_state\":\"off\",\"arp_interface\":\"office-vlan\",\"arp_port\":\"ae1\",\"arp_status\":\"c\",\"arp_ttl\":1510,\"assessed_for_policies\":true,\"assessed_for_vulnerabilities\":true,\"asset_install_status\":\"In use\",\"asset_tag\":\"3445237\",\"asset_user_name\":\"henry.woodruff@demo.local\",\"associated_device_users\":[{\"internal_axon_id\":[],\"is_latest_used_user\":true,\"last_used_departments\":[],\"last_used_email\":[],\"last_used_email_domain\":[],\"last_used_user_manager\":[]}],\"associated_saas_applications\":[{\"internal_axon_id\":[],\"name\":[]}],\"axon_id\":\"7928b5563fb67d158340a5ccb0dbedd8\",\"axonius_instance_name\":\"Primary\",\"browsers\":[{\"channel\":\"STABLE\",\"version\":\"134.0.6998.45\"}],\"category\":\"Hardware\",\"certificate_expiry_date\":\"Mon,06 Dec 2018 19:11:27 GMT\",\"chrome_device_type\":\"Chrome Browser Device\",\"cisa_vulnerabilities\":[{\"action\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"added\":\"2024-06-13\",\"cve_id\":\"CVE-2024-4358\",\"desc\":\"Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.\",\"due_date\":\"2024-07-04\",\"notes\":\"https:\\/\\/docs.telerik.com\\/report-server\\/knowledge-base\\/registration-auth-bypass-cve-2024-4358; https:\\/\\/nvd.nist.gov\\/vuln\\/detail\\/CVE-2024-4358\",\"product\":\"Telerik Report Server\",\"used_in_ransomware\":false,\"vendor\":\"Progress\",\"vulnerability_name\":\"Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability\"}],\"class_name\":\"cmdb_ci_vm\",\"class_title\":\"cmdb_ci_vm\",\"class_type\":\"IT\",\"cloud_provider_account_id\":\"cebfd225-6a4a-401c-8f18-8d813ff66fee\",\"cmdb_business_applications\":[{\"app_owner\":\"Fay Williams\",\"assignment_group\":\"DevOps\",\"business_criticality\":\"Low\",\"install_status\":\"Installed\",\"managed_by\":\"Vanessa Cunningham\",\"name\":\"Payroll\",\"number\":\"OMI0368488\",\"u_architect\":\"\",\"u_availability_criticality\":\"Medium\",\"u_confidentiality_criticality\":\"None\",\"u_crown_jewel\":true,\"u_integrity_criticality\":\"Low\",\"u_privacy_criticality\":\"High\"}],\"color\":\"white\",\"common_users\":[\"ronald.mays@demo.local\"],\"company\":\"ACME Australia\",\"confidence_level\":100,\"connected_devices\":[],\"cp_type\":\"host\",\"cpus\":[{\"cores\":6,\"ghz\":4.3,\"manufacturer\":\"GenuineIntel\",\"name\":\"Intel(R) Core(TM) i5-10400\"}],\"criticality\":\"Low\",\"custom_risk_owner\":\"Internal IT: Computers\",\"data_center\":\"Netherlands (AM Top)\",\"device_manufacturer\":\"intel\",\"device_serial\":\"85584A471A1FEDBF\",\"device_state\":\"Offline\",\"device_type\":\"Host\",\"disk_encryption_configuration\":\"Individual Recovery Key\",\"domain\":\"healthcare-subsidiary.com\",\"entity_id\":\"b1c4911d-30aa-4150-8fcb-f46a1ae4b543\",\"environment\":\"testing\",\"epo_host\":\"mcafee.demo.local\",\"epo_id\":\"0190BB31-2AB1-40ED-99E0-312AD935B3CC\",\"epo_products\":[\"McAfee Agent\"],\"excluded_software_cves\":[],\"external_cloud_account_id\":\"24690c9d-fb67-4b1b-a78b-43da4c1b9b2d\",\"external_ip\":\"10.0.60.215\",\"external_nat_ip\":\"81.2.69.142\",\"fetch_proto\":\"ARP\",\"fingerprint\":\"Os x Machine\",\"firewall_enabled\":true,\"firewall_rules\":[],\"fqdn\":\"esx-monitor1871068-stg.healthcare-subsidiary.com\",\"free_physical_memory\":3,\"general\":[{\"extension_name\":\"Bootstrap\",\"extension_value\":\"YES\"}],\"generic_encryption\":[{\"status\":true}],\"ghost\":false,\"guest_dns_name\":\"esx-web5259645-dev.demo.local\",\"guest_family\":\"linuxGuest\",\"guest_name\":\"Linux Centos 7\",\"guest_state\":\"notRunning\",\"hard_drives\":{\"free_size\":64,\"is_encrypted\":true,\"total_size\":256},\"hardware_status\":\"Installed\",\"hostname\":\"esx-monitor1871068-stg.healthcare-subsidiary.com\",\"in_groups\":[\"CounterACT Devices - CORP\"],\"install_status\":\"In use\",\"installed_software\":[{\"generated_cpe\":\"cpe:2.3:a:nginx:nginx:1.20.1:*:*:*:*:-:*:*\",\"name\":\"perl\",\"name_version\":\"perl-5.32.1\",\"sw_uid\":\"perl:perl\",\"vendor\":\"nginx\",\"vendor_publisher\":\"\",\"version\":\"5.32.1\",\"version_raw\":\"0000000050000003200000001\"}],\"ip_address_guid\":\"40a3583f-2efc-4635-ab19-c6c27d3ef151\",\"is_authenticated_scan\":true,\"is_fragile\":false,\"is_latest_last_seen\":true,\"is_managed\":true,\"is_network_infra_device\":true,\"is_purchased\":false,\"is_safe\":true,\"jamf_groups\":[\"Last Check-in < 90 Days (All Sites)\",\"FileVault - Boot Partitions Encrypted\"],\"jamf_groups_detailed\":[{\"group_id\":940,\"group_name\":\"Jamf Connect - Password Synced\",\"smart_group\":true}],\"jamf_id\":9172433,\"jamf_location\":{\"building\":\"NYAX-1027\",\"email_address\":\"henry.woodruff@demo.local\",\"phone_number\":\"-4133\",\"position\":\"Research & Develop\",\"real_name\":\"Woodruff, Henry\",\"room\":168,\"username\":\"henry.woodruff@demo.local\"},\"jamf_version\":\"10.37.0-t1647292853\",\"last_agent_import\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_auth_run\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_contact_time\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_enrolled_date_utc\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_scan\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_seen_agents\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_unauth_run\":\"Wed, 12 Nov 2025 00:02:18 GMT\",\"last_used_users\":[\"sherri.campbell@demo.local\"],\"last_used_users_departments_association\":[\"Customer Success\"],\"last_used_users_email_domain_association\":[\"demo.local\"],\"last_used_users_internal_axon_id_association\":[\"8227b6e961cf0ee129dbc29e6a985746\"],\"last_used_users_mail_association\":[\"henry.woodruff@demo.local\"],\"last_used_users_user_manager_association\":[\"dennis.harrison@demo.local\"],\"last_used_users_user_manager_mail_association\":[\"dennis.harrison@demo.local\"],\"last_used_users_user_status_association\":[\"ACTIVE\",\"active\"],\"last_used_users_user_title_association\":[\"Customer Success Team Leader\"],\"latest_used_user\":\"henry.woodruff@demo.local\",\"latest_used_user_department\":\"Customer Success\",\"latest_used_user_email_domain\":\"demo.local\",\"latest_used_user_mail\":\"henry.woodruff@demo.local\",\"latest_used_user_user_manager\":\"dennis.harrison@demo.local\",\"latest_used_user_user_status\":\"ACTIVE\",\"latest_used_user_user_title\":\"Customer Success Team Leader\",\"linked_tickets\":[{\"category\":\"Inquiry \\/ Help\",\"created\":\"Thu, 01 Aug 2024 03:10:27 GMT\",\"description\":\"Program takes too long to run - Please take care of this\",\"display_id\":\"INC8652441\",\"priority\":\"1 - Critical\",\"reporter\":\"Julie Donohue\",\"status\":\"Pending\",\"summary\":\"Program takes too long to run\",\"updated\":\"Thu, 01 Aug 2024 03:10:27 GMT\"}],\"lock\":\"unlocked\",\"meeting_id\":\"88241487032\",\"microphone\":\"WH-CH510\",\"nat_policy_ips\":[{\"address\":\"172.16.17.68\",\"direction\":\"translated-destination\",\"matched_on\":\"original-destination\",\"policy_name\":\"INTERNET_POLICY\",\"rule_num\":176,\"uid\":\"2eef8776-884f-42b5-9d3f-92e0ea392fc4\"}],\"network\":\"Demo Network\",\"network_interfaces\":[{\"ips\":[\"10.0.60.215\"],\"ips_raw\":[167787735],\"ips_v4\":[\"10.0.60.215\"],\"ips_v4_raw\":[167787735],\"mac\":\"00:0C:29:12:52:47\",\"manufacturer\":\"(VMware, Inc.)\",\"subnets\":[\"10.0.0.0\\/12\",\"10.0.0.0\\/16\"]}],\"network_status\":\"connected\",\"network_type\":\"Wifi\",\"nexpose_id\":83901,\"nexpose_type\":\"physical\",\"node_id\":\"2468_web5259645-dev\",\"node_name\":\"web5259645-dev\",\"normalization_reasons\":[{\"calculated_time\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"key\":\"normalized_invalid_macs\",\"original\":[\"000C29124E58\"],\"reason\":\"000C29125247 - non-correlative hardware - By MAC Normalizer\"}],\"open_ports\":[{\"port_id\":22,\"protocol\":\"TCP\"}],\"operational_status\":\"Operational\",\"organizational_unit\":\"\",\"os\":{\"codename\":\"Monterey\",\"distribution\":\"Red Hat 8\",\"distribution_name\":\"Red Hat\",\"end_of_life\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"end_of_support\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"is_end_of_life\":false,\"is_end_of_support\":true,\"is_latest_os_version\":false,\"is_windows_server\":false,\"latest_os_version\":\"9.5\",\"major\":8,\"minor\":5,\"os_cpe\":\"cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*\",\"os_dotted\":8,\"os_dotted_raw\":8,\"os_str\":\"rhel 8\",\"type\":\"Linux\",\"type_distribution\":\"Linux Red Hat 8\"},\"os_ext_attributes\":[{\"attr_name\":\"Root User\",\"data_type\":\"STRING\",\"definition_id\":168,\"ext_description\":\"Is root user enabled or disabled?\",\"input_type\":\"SCRIPT\",\"is_enabled\":true,\"is_multivalue\":false,\"values\":[]}],\"owner\":\"henry.woodruff@demo.local\",\"paloalto_device_type\":\"ARP\",\"part_of_domain\":true,\"physical_location\":\"Pune\",\"physical_memory_percentage\":90.625,\"plugin_and_severities\":[{\"cpe\":\"cpe:\\/a:openssl:openssl\",\"cve\":\"CVE-2024-6996\",\"cvss_base_score\":4.81,\"days_seen\":234,\"exploit_available\":false,\"family\":{\"id\":23,\"name\":\"General\"},\"first_found\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"first_seen\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"has_been_mitigated\":false,\"has_patch\":false,\"last_fixed\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"last_found\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"last_seen\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"mitigated\":false,\"nessus_instance\":{\"credentialed_check\":\"yes (on the localhost)\",\"display_superseded_patches\":true,\"experimental_tests\":false,\"patch_management_checks\":\"None\",\"plugin_feed_version\":792392186379,\"report_verbosity\":1,\"safe_check\":true,\"scan_name\":\"Nessus Agent default san\",\"scan_policy_used\":\"Collect Inventory\",\"scan_type\":\"Unix Agent\",\"scanner_edition_used\":\"Nessus\",\"scanner_ip\":\"127.0.0.1\",\"thorough_tests\":false,\"version\":\"10.5.1\"},\"patch_publication_date\":\"Sat, 12 Apr 2025 22:59:20 GMT\",\"plugin\":\"CVE-2024-6996_PLUGIN\",\"plugin_id\":156057,\"plugin_id_number\":156057,\"severity\":\"high\",\"severity_modification_type\":\"NONE\",\"solution\":\"Disable IPv6 if you are not actually using it. Otherwise, disable any unused IPv6 interfaces.\",\"state\":\"ACTIVE\",\"unsupported_by_vendor\":false,\"vpr_score\":1.77,\"vuln_state\":\"Opened\"}],\"policy_id\":\"fec858b9-ffad-46c7-b3e2-0042ea8143a8\",\"policy_name\":\"8271748d71-2a25-91fd-8f87a89b976c32-122319\\/Basic Network Scan\",\"power_state\":\"TurnedOn\",\"ranger_version\":\"21.11.0.75\",\"raw_hostname\":\"esx-monitor1871068-stg.healthcare-subsidiary.com\",\"read_only\":true,\"recording\":true,\"relative_path\":\"bf952f98-7d40-4ff2-81d0-8794f3a08256\",\"report_date\":\"Fri, 11 Apr 2025 06:18:17 GMT\",\"resource_group\":\"Devices\",\"risk_level\":\"none\",\"scan_results\":[\"Axonius Demo - Agents\",\"Axonius Demo - Agents\",\"Manufacturing - OT\"],\"scan_results_objs\":[{\"id\":6174,\"name\":\"Axonius Demo - Agents\",\"status\":\"Completed\"}],\"scanner\":true,\"security_updates_last_changed\":\"Fri, 11 Apr 2025 06:18:17 GMT\",\"security_updates_status\":\"active\",\"services\":[],\"severity_critical\":0,\"severity_high\":0,\"severity_info\":67,\"severity_low\":0,\"severity_medium\":0,\"share_application\":false,\"share_desktop\":true,\"share_whiteboard\":false,\"sip_status\":true,\"site_name\":\"Jerusalem\",\"software_cves\":[{\"axonius_risk_score\":4.98,\"axonius_status\":\"Open\",\"axonius_status_last_update\":\"11 Apr 2025 06:18:17 GMT\",\"custom_software_cves_business_unit\":\"Infra: On-Prem (bare metal)\",\"cve_from_sw_analysis\":true,\"cve_id\":\"CVE-2024-4358\",\"cve_list\":[],\"cve_severity\":\"CRITICAL\",\"cve_synopsis\":\"Discovered closed port on the host (reachable without firewalling).\",\"cvss\":9.8,\"cvss2_score\":9.8,\"cvss2_score_num\":9.8,\"cvss3_score\":7,\"cvss3_score_num\":7,\"cvss4_score\":5.5,\"cvss4_score_num\":5.5,\"cvss_str\":\"CVSS 9.8\",\"cvss_vector\":\"CVSS:3.1\\/AV:N\\/AC:L\\/PR:N\\/UI:N\\/S:U\\/C:H\\/I:H\\/A:H\",\"cvss_version\":\"v3.0\",\"cwe_id\":\"\",\"epss\":{\"creation_date\":\"11 Apr 2025 06:18:17 GMT\",\"cve_id\":\"CVE-2016-10010\",\"percentile\":0.24268,\"score\":0.0008},\"exploitability_score\":3.9,\"first_fetch_time\":\"11 Apr 2025 06:18:17 GMT\",\"hash_id\":\"4kpAtLKz2YMqXtns\",\"impact_score\":5.9,\"last_fetch_time\":\"11 Apr 2025 06:18:17 GMT\",\"last_modified_date\":\"11 Apr 2025 06:18:17 GMT\",\"mitigated\":false,\"msrc\":{\"creation_date\":\"Tue\",\"cve_id\":\"CVE-2024-32021\",\"title\":\"CVE-2024-32021\"},\"nvd_publish_age\":3232,\"publish_date\":\"11 Apr 2025 06:18:17 GMT\",\"software_name\":\"Web Help Desk\",\"software_type\":\"Application\",\"software_vendor\":\"SolarWinds\",\"software_version\":\"12.8.1\",\"solution_hash_id\":\"1lCfLMyv4gV3dPO5\",\"version_raw\":\"0000000120000000800000001\"}],\"speaker\":\"Logi USB Headset\",\"special_hint\":0,\"special_hint_underscore\":\"rInternal\",\"subnet_tag\":\"VLAN Jerusalem\",\"swap_free\":8.4,\"swap_total\":14,\"sys_id\":\"ddfdcdfddfad8f4e475a653c515cb0be\",\"table_type\":\"vm\",\"tenant_tag\":\"AXONDEMO\",\"threat_level\":\"High-High\",\"threats\":[],\"total\":67,\"total_number_of_cores\":6,\"total_physical_memory\":32,\"u_business_owner\":\"Brady Allen\",\"u_business_unit\":\"Sales\",\"uniq_sites_count\":47,\"uri\":\"swis:\\/\\/esx-web5259645-dev.demo.local\\/Orion\\/Orion.Nodes\\/NodeID=2468\",\"uuid\":\"0e3a686a-79d6-43c4-a09f-08f5330fb198\",\"vendor\":\"intel\",\"virtual_host\":true,\"vm_status\":\"Suspended\",\"vm_type\":\"lxc\",\"vpn_domain\":\"esx-externalmongo-5344437-prd.manufacturing.com\",\"vpn_is_local\":true,\"vpn_lifetime\":43200,\"vpn_public_ip\":\"0.0.0.0\",\"vpn_tunnel_type\":\"SSL\",\"vpn_type\":\"Device Level VPN\",\"z_sys_class_name\":\"cmdb_ci_vm\",\"z_table_hierarchy\":[{\"name\":\"cmdb_ci_vm\"}],\"zoom_ip\":\"0.0.0.0\"}},\"event.enrichment_type\":\"cve\",\"event.entity\":\"devices\",\"event.hidden_for_gui\":true,\"event.name\":\"cisa_enrichment_0\"}", + "reason": [ + "000C29125247 - non-correlative hardware - By MAC Normalizer" + ], + "type": [ + "info" + ], + "url": "swis://esx-web5259645-dev.demo.local/Orion/Orion.Nodes/NodeID=2468" + }, + "host": { + "domain": "healthcare-subsidiary.com", + "hostname": "esx-monitor1871068-stg.healthcare-subsidiary.com", + "id": "0e3a686a-79d6-43c4-a09f-08f5330fb198", + "name": [ + "esx-monitor1871068-stg.healthcare-subsidiary.com", + "esx-web5259645-dev.demo.local" + ], + "os": { + "family": "red hat", + "full": "Linux Red Hat 8", + "type": "linux", + "version": "9.5" + } + }, + "related": { + "hash": [ + "4kpAtLKz2YMqXtns", + "1lCfLMyv4gV3dPO5" + ], + "hosts": [ + "85584A471A1FEDBF", + "mcafee.demo.local", + "esx-monitor1871068-stg.healthcare-subsidiary.com", + "esx-web5259645-dev.demo.local", + "0e3a686a-79d6-43c4-a09f-08f5330fb198", + "esx-externalmongo-5344437-prd.manufacturing.com" + ], + "ip": [ + "10.0.60.215", + "81.2.69.142", + "172.16.17.68", + "0.0.0.0" + ], + "user": [ + "henry.woodruff@demo.local", + "true", + "{}", + "ronald.mays@demo.local", + "sherri.campbell@demo.local", + "dennis.harrison@demo.local", + "Brady Allen" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user_agent": { + "version": "2.1.1590" + }, + "vulnerability": { + "description": [ + "Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access." + ], + "id": [ + "CVE-2024-4358", + "CVE-2024-6996" + ], + "severity": [ + "high" + ] + } + } + ] +} diff --git a/packages/axonius/data_stream/network/_dev/test/system/test-default-config.yml b/packages/axonius/data_stream/network/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..64adfbb1dd9 --- /dev/null +++ b/packages/axonius/data_stream/network/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +input: cel +service: axonius +vars: + url: http://{{Hostname}}:{{Port}} + api_key: xxxx + secret_key: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true + batch_size: 2 +assert: + hit_count: 10 diff --git a/packages/axonius/data_stream/network/agent/stream/cel.yml.hbs b/packages/axonius/data_stream/network/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..52335bac1f4 --- /dev/null +++ b/packages/axonius/data_stream/network/agent/stream/cel.yml.hbs @@ -0,0 +1,129 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} + +state: + api_key: {{api_key}} + secret_key: {{secret_key}} + batch_size: {{batch_size}} + asset_type_list: + - networks + - load_balancers + - network_services + - network_devices + - firewalls + - nat_rules + - network_routes + +redact: + fields: + - api_key + - secret_key +program: | + ( + state.?worklist.asset_type_list[0].hasValue() ? + state + : + state.drop("worklist").with( + { + "worklist": { + "asset_type_list": state.asset_type_list, + } + } + ) + ).as(state, state.with( + request( + "POST", + state.url.trim_right("/") + "/api/v2/assets/" + string(state.worklist.asset_type_list[0]) + ).with( + { + "Header": { + "Content-Type": ["application/json"], + "api-key": [state.api_key], + "api-secret": [state.secret_key], + }, + "Body": { + "include_metadata": true, + "page": { + "limit": state.batch_size, + }, + ?"next_page": state.?worklist.?next_page, + "fields": ["specific_data"], + "use_cache_entry": false, + "include_details": false, + }.encode_json(), + } + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, + { + "events": (has(body.assets) && size(body.assets) > 0 ? + body.assets.map(assets, + assets.specific_data.map(d,{ + "message":{ + ?"internal_axon_id": assets.?internal_axon_id, + ?"adapters": assets.?adapters, + ?"adapter_list_length": assets.?adapter_list_length, + ?"labels": assets.?labels, + "asset_type": string(state.worklist.asset_type_list[0]), + "event": d + }.encode_json(), + }) + ).flatten() + : + [{"message":"empty_data"}] + ), + "worklist": { + "asset_type_list": (has(body.meta.page.number) && has(body.meta.page.totalPages) && + int(body.meta.page.number) < int(body.meta.page.totalPages)) ? state.worklist.asset_type_list : tail(state.worklist.asset_type_list), + "next_page": (has(body.meta.page.number) && has(body.meta.page.totalPages) && + int(body.meta.page.number) < int(body.meta.page.totalPages)) ? (body.?meta.?next_page) : null, + }, + "want_more": (has(body.meta.page.number) && has(body.meta.page.totalPages) && + int(body.meta.page.number) < int(body.meta.page.totalPages) || size(state.worklist.asset_type_list) > 1), + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST:" + state.url.trim_right("/") + "/api/v2/assets/ " + string(state.worklist.asset_type_list[0]) + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + )) +tags: +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/axonius/data_stream/network/elasticsearch/ilm/default_policy.json b/packages/axonius/data_stream/network/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..a2258ec38f8 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/default.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..9fb5a915871 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,524 @@ +--- +description: Pipeline for processing network asset common logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 9.2.0 + - terminate: + description: error message set and no data to process. + tag: terminate_data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + - drop: + if: ctx.message == 'empty_data' + tag: drop_empty_data_events + + # remove agentless metadata + - remove: + description: Removes the fields added by Agentless as metadata, as they can collide with ECS fields. + tag: remove_agentless_tags + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + field: + - organization + - division + - team + ignore_missing: true + + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + - fingerprint: + fields: + - event.original + tag: fingerprint_event_original + target_field: axonius.network.transform_unique_id + ignore_missing: true + - set: + tag: set_event_kind + field: event.kind + value: event + - append: + field: event.category + value: network + tag: category_network + - append: + field: event.type + value: info + tag: type_info + - convert: + field: json.adapter_list_length + tag: convert_adapter_list_length_to_long + target_field: axonius.network.adapter_list_length + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.adapters + tag: rename_adapters + target_field: axonius.network.adapters + ignore_missing: true + - rename: + field: json.asset_type + tag: rename_asset_type + target_field: axonius.network.asset_type + ignore_missing: true + - date: + field: json.event.accurate_for_datetime + tag: date_event_accurate_for_datetime + target_field: axonius.network.event.accurate_for_datetime + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.accurate_for_datetime != null && ctx.json.event.accurate_for_datetime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_network_event_accurate_for_datetime + copy_from: axonius.network.event.accurate_for_datetime + ignore_empty_value: true + - rename: + field: json.event.adapter_categories + tag: rename_event_adapter_categories + target_field: axonius.network.event.adapter_categories + ignore_missing: true + - rename: + field: json.event.client_used + tag: rename_event_client_used + target_field: axonius.network.event.client_used + ignore_missing: true + - date: + field: json.event.data.accurate_for_datetime + tag: date_event_data_accurate_for_datetime + target_field: axonius.network.event.data.accurate_for_datetime + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.accurate_for_datetime != null && ctx.json.event.data.accurate_for_datetime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.application_and_account_name + tag: rename_event_data_application_and_account_name + target_field: axonius.network.event.data.application_and_account_name + ignore_missing: true + - rename: + field: json.event.data.asset_entity_info + tag: rename_event_data_asset_entity_info + target_field: axonius.network.event.data.asset_entity_info + ignore_missing: true + - rename: + field: json.event.data.asset_type + tag: rename_event_data_asset_type + target_field: axonius.network.event.data.asset_type + ignore_missing: true + - rename: + field: json.event.data.connected_assets + tag: rename_event_data_connected_assets + target_field: axonius.network.event.data.connected_assets + ignore_missing: true + - rename: + field: json.event.data.destination_addresses + tag: rename_event_data_destination_addresses + target_field: axonius.network.event.data.destination_addresses + ignore_missing: true + - rename: + field: json.event.data.destination_zone + tag: rename_event_data_destination_zone + target_field: axonius.network.event.data.destination_zone + ignore_missing: true + - rename: + field: json.event.data.device_group + tag: rename_event_data_device_group + target_field: axonius.network.event.data.device_group + ignore_missing: true + - date: + field: json.event.data.fetch_time + tag: date_event_data_fetch_time + target_field: axonius.network.event.data.fetch_time + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.fetch_time != null && ctx.json.event.data.fetch_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.first_fetch_time + tag: date_event_data_first_fetch_time + target_field: axonius.network.event.data.first_fetch_time + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.first_fetch_time != null && ctx.json.event.data.first_fetch_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.first_seen + tag: date_event_data_first_seen + target_field: axonius.network.event.data.first_seen + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.first_seen != null && ctx.json.event.data.first_seen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.from_last_fetch + tag: convert_event_data_from_last_fetch_to_boolean + target_field: axonius.network.event.data.from_last_fetch + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.id + tag: rename_event_data_id + target_field: axonius.network.event.data.id + ignore_missing: true + - rename: + field: json.event.data.id_raw + tag: rename_event_data_id_raw + target_field: axonius.network.event.data.id_raw + ignore_missing: true + - convert: + field: json.event.data.is_exposing_public_traffic + tag: convert_event_data_is_exposing_public_traffic_to_boolean + target_field: axonius.network.event.data.is_exposing_public_traffic + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.is_fetched_from_adapter + tag: convert_event_data_is_fetched_from_adapter_to_boolean + target_field: axonius.network.event.data.is_fetched_from_adapter + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.last_fetch_connection_id + tag: rename_event_data_last_fetch_connection_id + target_field: axonius.network.event.data.last_fetch_connection_id + ignore_missing: true + - rename: + field: json.event.data.last_fetch_connection_label + tag: rename_event_data_last_fetch_connection_label + target_field: axonius.network.event.data.last_fetch_connection_label + ignore_missing: true + - date: + field: json.event.data.last_seen + tag: date_event_data_last_seen + target_field: axonius.network.event.data.last_seen + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_seen != null && ctx.json.event.data.last_seen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.name + tag: rename_event_data_name + target_field: axonius.network.event.data.name + ignore_missing: true + - convert: + field: json.event.data.not_fetched_count + tag: convert_event_data_not_fetched_count_to_long + target_field: axonius.network.event.data.not_fetched_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.pretty_id + tag: rename_event_data_pretty_id + target_field: axonius.network.event.data.pretty_id + ignore_missing: true + - rename: + field: json.event.data.protocol + tag: rename_event_data_protocol + target_field: axonius.network.event.data.protocol + ignore_missing: true + - set: + field: network.protocol + tag: set_network_protocol_from_network_event_data_protocol + copy_from: axonius.network.event.data.protocol + ignore_empty_value: true + - lowercase: + field: network.protocol + tag: lowercase_network_protocol + ignore_missing: true + - rename: + field: json.event.data.relatable_ids + tag: rename_event_data_relatable_ids + target_field: axonius.network.event.data.relatable_ids + ignore_missing: true + - rename: + field: json.event.data.related_network_route_ids + tag: rename_event_data_related_network_route_ids + target_field: axonius.network.event.data.related_network_route_ids + ignore_missing: true + - rename: + field: json.event.data.rule_base_type + tag: rename_event_data_rule_base_type + target_field: axonius.network.event.data.rule_base_type + ignore_missing: true + - rename: + field: json.event.data.rule_type + tag: rename_event_data_rule_type + target_field: axonius.network.event.data.rule_type + ignore_missing: true + - foreach: + field: json.event.data.source_addresses + tag: foreach_event_data_source_addresses + if: ctx.json?.event?.data?.source_addresses instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_source_addresses_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.source_addresses + tag: foreach_event_data_source_addresses + if: ctx.json?.event?.data?.source_addresses instanceof List + processor: + append: + field: source.address + tag: append_event_data_source_addresses_into_source_address + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: json.event.data.source_addresses + tag: foreach_event_data_source_addresses + if: ctx.json?.event?.data?.source_addresses instanceof List + processor: + append: + field: related.ip + tag: append_event_data_source_addresses_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.source_addresses + tag: rename_event_data_source_addresses + target_field: axonius.network.event.data.source_addresses + ignore_missing: true + - rename: + field: json.event.data.source_application + tag: rename_event_data_source_application + target_field: axonius.network.event.data.source_application + ignore_missing: true + - rename: + field: json.event.data.source_zone + tag: rename_event_data_source_zone + target_field: axonius.network.event.data.source_zone + ignore_missing: true + - rename: + field: json.event.data.status + tag: rename_event_data_status + target_field: axonius.network.event.data.status + ignore_missing: true + - rename: + field: json.event.data.tenant_number + tag: rename_event_data_tenant_number + target_field: axonius.network.event.data.tenant_number + ignore_missing: true + - rename: + field: json.event.data.type + tag: rename_event_data_type + target_field: axonius.network.event.data.type + ignore_missing: true + - rename: + field: json.event.initial_plugin_unique_name + tag: rename_event_initial_plugin_unique_name + target_field: axonius.network.event.initial_plugin_unique_name + ignore_missing: true + - rename: + field: json.event.plugin_name + tag: rename_event_plugin_name + target_field: axonius.network.event.plugin_name + ignore_missing: true + - rename: + field: json.event.plugin_type + tag: rename_event_plugin_type + target_field: axonius.network.event.plugin_type + ignore_missing: true + - rename: + field: json.event.plugin_unique_name + tag: rename_event_plugin_unique_name + target_field: axonius.network.event.plugin_unique_name + ignore_missing: true + - rename: + field: json.event.quick_id + tag: rename_event_quick_id + target_field: axonius.network.event.quick_id + ignore_missing: true + - rename: + field: json.event.type + tag: rename_event_type + target_field: axonius.network.event.type + ignore_missing: true + - rename: + field: json.internal_axon_id + tag: rename_internal_axon_id + target_field: axonius.network.internal_axon_id + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "pipeline-network" }}' + tag: pipeline_network + if: >- + ctx.axonius?.network?.asset_type.contains('networks') + - pipeline: + name: '{{ IngestPipeline "pipeline-load-balancer" }}' + tag: pipeline_load_balancer + if: >- + ctx.axonius?.network?.asset_type.contains('load_balancers') + - pipeline: + name: '{{ IngestPipeline "pipeline-network-device" }}' + tag: pipeline_network_device + if: >- + ctx.axonius?.network?.asset_type.contains('network_devices') + - pipeline: + name: '{{ IngestPipeline "pipeline-firewall" }}' + tag: pipeline_firewall + if: >- + ctx.axonius?.network?.asset_type.contains('firewalls') + - pipeline: + name: '{{ IngestPipeline "pipeline-nat-rule" }}' + tag: pipeline_nat_rule + if: >- + ctx.axonius?.network?.asset_type.contains('nat_rules') + - pipeline: + name: '{{ IngestPipeline "pipeline-network-route" }}' + tag: pipeline_network_route + if: >- + ctx.axonius?.network?.asset_type.contains('network_routes') + - remove: + field: + - axonius.network.event.accurate_for_datetime + - axonius.network.event.data.protocol + - axonius.network.event.data.destination_port + - axonius.network.event.action_if_exists + - axonius.network.event.data.agent_version + - axonius.network.event.data.cloud_provider_account_id + - axonius.network.event.data.device_manufacturer + - axonius.network.event.data.device_serial + - axonius.network.event.data.device_type + - axonius.network.event.data.domain + - axonius.network.event.data.fqdn + - axonius.network.event.data.guest_dns_name + - axonius.network.event.data.hostname + - axonius.network.event.data.os.distribution_name + - axonius.network.event.data.os.latest_os_version + - axonius.network.event.data.os.type_distribution + - axonius.network.event.data.creation_time_stamp + - axonius.network.event.data.direction + - axonius.network.event.data.location + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-firewall.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-firewall.yml new file mode 100644 index 00000000000..b648678fed6 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-firewall.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for processing firewall logs. +processors: + - rename: + field: json.event.data.action + tag: rename_event_data_action + target_field: axonius.network.event.data.action + ignore_missing: true + - rename: + field: json.event.data.applications + tag: rename_event_data_applications + target_field: axonius.network.event.data.applications + ignore_missing: true + - foreach: + field: json.event.data.inbound_rules + tag: foreach_event_data_inbound_rules_from_port + if: ctx.json?.event?.data?.inbound_rules instanceof List + processor: + convert: + field: _ingest._value.from_port + tag: convert_event_data_inbound_rules_from_port_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.from_port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.inbound_rules + tag: foreach_event_data_inbound_rules_to_port + if: ctx.json?.event?.data?.inbound_rules instanceof List + processor: + convert: + field: _ingest._value.to_port + tag: convert_event_data_inbound_rules_to_port_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.to_port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.inbound_rules + tag: rename_event_data_inbound_rules + target_field: axonius.network.event.data.inbound_rules + ignore_missing: true + - rename: + field: json.event.data.service + tag: rename_event_data_service + target_field: axonius.network.event.data.service + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-load-balancer.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-load-balancer.yml new file mode 100644 index 00000000000..31201d591e9 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-load-balancer.yml @@ -0,0 +1,183 @@ +--- +description: Pipeline for processing load balancer logs. +processors: + - convert: + field: json.event.data.allow_nat + tag: convert_event_data_allow_nat_to_boolean + target_field: axonius.network.event.data.allow_nat + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.balanced_integer_ips + tag: foreach_event_data_balanced_integer_ips + if: ctx.json?.event?.data?.balanced_integer_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_balanced_integer_ips_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.balanced_integer_ips + tag: rename_event_data_balanced_integer_ips + target_field: axonius.network.event.data.balanced_integer_ips + ignore_missing: true + - foreach: + field: json.event.data.balanced_ips + tag: foreach_event_data_balanced_ips + if: ctx.json?.event?.data?.balanced_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_balanced_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.balanced_ips + tag: foreach_event_data_balanced_ips + if: ctx.json?.event?.data?.balanced_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_balanced_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.balanced_ips + tag: rename_event_data_balanced_ips + target_field: axonius.network.event.data.balanced_ips + ignore_missing: true + - rename: + field: json.event.data.destination + tag: rename_event_data_destination + target_field: axonius.network.event.data.destination + ignore_missing: true + - foreach: + field: json.event.data.pool_members_ips + tag: foreach_event_data_pool_members_ips + if: ctx.json?.event?.data?.pool_members_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_pool_members_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.pool_members_ips + tag: foreach_event_data_pool_members_ips + if: ctx.json?.event?.data?.pool_members_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_pool_members_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.pool_members_ips + tag: rename_event_data_pool_members_ips + target_field: axonius.network.event.data.pool_members_ips + ignore_missing: true + - rename: + field: json.event.data.pool_name + tag: rename_event_data_pool_name + target_field: axonius.network.event.data.pool_name + ignore_missing: true + - foreach: + field: json.event.data.private_integer_ips + tag: foreach_event_data_private_integer_ips + if: ctx.json?.event?.data?.private_integer_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_private_integer_ips_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.private_integer_ips + tag: rename_event_data_private_integer_ips + target_field: axonius.network.event.data.private_integer_ips + ignore_missing: true + - foreach: + field: json.event.data.private_ips + tag: foreach_event_data_private_ips + if: ctx.json?.event?.data?.private_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_private_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.private_ips + tag: foreach_event_data_private_ips + if: ctx.json?.event?.data?.private_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_private_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.private_ips + tag: rename_event_data_private_ips + target_field: axonius.network.event.data.private_ips + ignore_missing: true + - rename: + field: json.event.data.server_type + tag: rename_event_data_server_type + target_field: axonius.network.event.data.server_type + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-nat-rule.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-nat-rule.yml new file mode 100644 index 00000000000..9bc03315c03 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-nat-rule.yml @@ -0,0 +1,251 @@ +--- +description: Pipeline for processing nat rules logs. +processors: + - foreach: + field: json.event.data.destination_ips + tag: foreach_event_data_destination_ips + if: ctx.json?.event?.data?.destination_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_destination_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.destination_ips + tag: foreach_event_data_destination_ips + if: ctx.json?.event?.data?.destination_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_destination_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.destination_ips + tag: rename_event_data_destination_ips + target_field: axonius.network.event.data.destination_ips + ignore_missing: true + - convert: + field: json.event.data.destination_port + tag: convert_event_data_destination_port_to_long + target_field: axonius.network.event.data.destination_port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_network_event_data_destination_port + copy_from: axonius.network.event.data.destination_port + ignore_empty_value: true + - convert: + field: json.event.data.is_enabled + tag: convert_event_data_is_enabled_to_boolean + target_field: axonius.network.event.data.is_enabled + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.method + tag: rename_event_data_method + target_field: axonius.network.event.data.method + ignore_missing: true + - foreach: + field: json.event.data.nat_translations + tag: foreach_event_data_nat_translations_from_destination_integer_ip + if: ctx.json?.event?.data?.nat_translations instanceof List + processor: + convert: + field: _ingest._value.from_destination_integer_ip + tag: convert_event_data_nat_translations_from_destination_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.from_destination_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.nat_translations + tag: foreach_event_data_nat_translations_from_source_integer_ip + if: ctx.json?.event?.data?.nat_translations instanceof List + processor: + convert: + field: _ingest._value.from_source_integer_ip + tag: convert_event_data_nat_translations_from_source_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.from_source_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.nat_translations + tag: foreach_event_data_nat_translations_is_destination_ip_range_public + if: ctx.json?.event?.data?.nat_translations instanceof List + processor: + convert: + field: _ingest._value.is_destination_ip_range_public + tag: convert_event_data_nat_translations_is_destination_ip_range_public_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_destination_ip_range_public + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.nat_translations + tag: foreach_event_data_nat_translations_is_source_ip_range_public + if: ctx.json?.event?.data?.nat_translations instanceof List + processor: + convert: + field: _ingest._value.is_source_ip_range_public + tag: convert_event_data_nat_translations_is_source_ip_range_public_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_source_ip_range_public + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.nat_translations + tag: foreach_event_data_nat_translations_to_destination_integer_ip + if: ctx.json?.event?.data?.nat_translations instanceof List + processor: + convert: + field: _ingest._value.to_destination_integer_ip + tag: convert_event_data_nat_translations_to_destination_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.to_destination_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.nat_translations + tag: foreach_event_data_nat_translations_to_source_integer_ip + if: ctx.json?.event?.data?.nat_translations instanceof List + processor: + convert: + field: _ingest._value.to_source_integer_ip + tag: convert_event_data_nat_translations_to_source_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.to_source_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.nat_translations + tag: rename_event_data_nat_translations + target_field: axonius.network.event.data.nat_translations + ignore_missing: true + - foreach: + field: json.event.data.public_ips + tag: foreach_event_data_public_ips + if: ctx.json?.event?.data?.public_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_public_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.public_ips + tag: foreach_event_data_public_ips + if: ctx.json?.event?.data?.public_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_public_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.public_ips + tag: rename_event_data_public_ips + target_field: axonius.network.event.data.public_ips + ignore_missing: true + - foreach: + field: json.event.data.source_ips + tag: foreach_event_data_source_ips + if: ctx.json?.event?.data?.source_ips instanceof List + processor: + convert: + field: _ingest._value + tag: convert_event_data_source_ips_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.source_ips + tag: foreach_event_data_source_ips + if: ctx.json?.event?.data?.source_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_source_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.source_ips + tag: rename_event_data_source_ips + target_field: axonius.network.event.data.source_ips + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network-device.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network-device.yml new file mode 100644 index 00000000000..ebaedd9f1cb --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network-device.yml @@ -0,0 +1,3121 @@ +--- +description: Pipeline for processing network device logs. +processors: + - append: + field: event.category + value: vulnerability + tag: category_vulnerability + - rename: + field: json.event.action_if_exists + tag: rename_event_action_if_exists + target_field: axonius.network.event.action_if_exists + ignore_missing: true + - set: + field: event.action + tag: set_event_action_from_network_event_action_if_exists + copy_from: axonius.network.event.action_if_exists + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - split: + field: event.action + tag: split_event_action + separator: \s+ + ignore_missing: true + if: ctx.event?.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - join: + field: event.action + tag: join_event_action + separator: '-' + if: ctx.event?.action != null && ctx.event.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.associated_adapter_plugin_name + tag: rename_event_associated_adapter_plugin_name + target_field: axonius.network.event.associated_adapter_plugin_name + ignore_missing: true + - rename: + field: json.event.association_type + tag: rename_event_association_type + target_field: axonius.network.event.association_type + ignore_missing: true + - convert: + field: json.event.data._keep_hostname_empty + tag: convert_event_data__keep_hostname_empty_to_boolean + target_field: axonius.network.event.data._keep_hostname_empty + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.adapter_properties + tag: rename_event_data_adapter_properties + target_field: axonius.network.event.data.adapter_properties + ignore_missing: true + - rename: + field: json.event.data.agent_version + tag: rename_event_data_agent_version + target_field: axonius.network.event.data.agent_version + ignore_missing: true + - set: + field: user_agent.version + tag: set_user_agent_version_from_network_event_data_agent_version + copy_from: axonius.network.event.data.agent_version + ignore_empty_value: true + - rename: + field: json.event.data.agent_versions + tag: rename_event_data_agent_versions + target_field: axonius.network.event.data.agent_versions + ignore_missing: true + - rename: + field: json.event.data.all_associated_email_addresses + tag: rename_event_data_all_associated_email_addresses + target_field: axonius.network.event.data.all_associated_email_addresses + ignore_missing: true + - rename: + field: json.event.data.anti_malware_agent_status + tag: rename_event_data_anti_malware_agent_status + target_field: axonius.network.event.data.anti_malware_agent_status + ignore_missing: true + - rename: + field: json.event.data.anti_malware_agent_status_message + tag: rename_event_data_anti_malware_agent_status_message + target_field: axonius.network.event.data.anti_malware_agent_status_message + ignore_missing: true + - rename: + field: json.event.data.anti_malware_state + tag: rename_event_data_anti_malware_state + target_field: axonius.network.event.data.anti_malware_state + ignore_missing: true + - rename: + field: json.event.data.arp_interface + tag: rename_event_data_arp_interface + target_field: axonius.network.event.data.arp_interface + ignore_missing: true + - rename: + field: json.event.data.arp_port + tag: rename_event_data_arp_port + target_field: axonius.network.event.data.arp_port + ignore_missing: true + - rename: + field: json.event.data.arp_status + tag: rename_event_data_arp_status + target_field: axonius.network.event.data.arp_status + ignore_missing: true + - convert: + field: json.event.data.arp_ttl + tag: convert_event_data_arp_ttl_to_long + target_field: axonius.network.event.data.arp_ttl + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.assessed_for_policies + tag: convert_event_data_assessed_for_policies_to_boolean + target_field: axonius.network.event.data.assessed_for_policies + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.assessed_for_vulnerabilities + tag: convert_event_data_assessed_for_vulnerabilities_to_boolean + target_field: axonius.network.event.data.assessed_for_vulnerabilities + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.asset_install_status + tag: rename_event_data_asset_install_status + target_field: axonius.network.event.data.asset_install_status + ignore_missing: true + - rename: + field: json.event.data.asset_tag + tag: rename_event_data_asset_tag + target_field: axonius.network.event.data.asset_tag + ignore_missing: true + - rename: + field: json.event.data.asset_user_name + tag: rename_event_data_asset_user_name + target_field: axonius.network.event.data.asset_user_name + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_asset_user_name_into_related_user + value: '{{{axonius.network.event.data.asset_user_name}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.asset_user_name != null + - foreach: + field: json.event.data.associated_device_users + tag: foreach_event_data_associated_device_users_is_latest_used_user + if: ctx.json?.event?.data?.associated_device_users instanceof List + processor: + convert: + field: _ingest._value.is_latest_used_user + tag: convert_event_data_associated_device_users_is_latest_used_user_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_latest_used_user + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.associated_device_users + tag: foreach_event_data_associated_device_users_is_latest_used_user + if: ctx.json?.event?.data?.associated_device_users instanceof List + processor: + append: + field: related.user + tag: append_event_data_associated_device_users_is_latest_used_user_into_related_user + value: '{{{_ingest._value.is_latest_used_user}}}' + allow_duplicates: false + - foreach: + field: json.event.data.associated_device_users + tag: foreach_event_data_associated_device_users_last_used_email + if: ctx.json?.event?.data?.associated_device_users instanceof List + processor: + append: + field: related.user + tag: append_event_data_associated_device_users_last_used_email_into_related_user + value: '{{{_ingest._value.last_used_email}}}' + allow_duplicates: false + - foreach: + field: json.event.data.associated_device_users + tag: foreach_event_data_associated_device_users_last_used_user_manager + if: ctx.json?.event?.data?.associated_device_users instanceof List + processor: + append: + field: related.user + tag: append_event_data_associated_device_users_last_used_user_manager_into_related_user + value: '{{{_ingest._value.last_used_user_manager}}}' + allow_duplicates: false + - rename: + field: json.event.data.associated_device_users + tag: rename_event_data_associated_device_users + target_field: axonius.network.event.data.associated_device_users + ignore_missing: true + - rename: + field: json.event.data.associated_saas_applications + tag: rename_event_data_associated_saas_applications + target_field: axonius.network.event.data.associated_saas_applications + ignore_missing: true + - rename: + field: json.event.data.axon_id + tag: rename_event_data_axon_id + target_field: axonius.network.event.data.axon_id + ignore_missing: true + - rename: + field: json.event.data.axonius_instance_name + tag: rename_event_data_axonius_instance_name + target_field: axonius.network.event.data.axonius_instance_name + ignore_missing: true + - rename: + field: json.event.data.browsers + tag: rename_event_data_browsers + target_field: axonius.network.event.data.browsers + ignore_missing: true + - rename: + field: json.event.data.category + tag: rename_event_data_category + target_field: axonius.network.event.data.category + ignore_missing: true + - date: + field: json.event.data.certificate_expiry_date + tag: date_event_data_certificate_expiry_date + target_field: axonius.network.event.data.certificate_expiry_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.certificate_expiry_date != null && ctx.json.event.data.certificate_expiry_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.chrome_device_type + tag: rename_event_data_chrome_device_type + target_field: axonius.network.event.data.chrome_device_type + ignore_missing: true + - foreach: + field: json.event.data.cisa_vulnerabilities + tag: foreach_event_data_cisa_vulnerabilities_added + if: ctx.json?.event?.data?.cisa_vulnerabilities instanceof List + processor: + date: + field: _ingest._value.added + tag: date_event_data_cisa_vulnerabilities_added + target_field: _ingest._value.added + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.added + ignore_missing: true + - foreach: + field: json.event.data.cisa_vulnerabilities + tag: foreach_event_data_cisa_vulnerabilities_cve_id + if: ctx.json?.event?.data?.cisa_vulnerabilities instanceof List + processor: + append: + field: vulnerability.id + tag: append_event_data_cisa_vulnerabilities_cve_id_into_vulnerability_id + value: '{{{_ingest._value.cve_id}}}' + allow_duplicates: false + - foreach: + field: json.event.data.cisa_vulnerabilities + tag: foreach_event_data_cisa_vulnerabilities_desc + if: ctx.json?.event?.data?.cisa_vulnerabilities instanceof List + processor: + append: + field: vulnerability.description + tag: append_event_data_cisa_vulnerabilities_desc_into_vulnerability_description + value: '{{{_ingest._value.desc}}}' + allow_duplicates: false + - foreach: + field: json.event.data.cisa_vulnerabilities + tag: foreach_event_data_cisa_vulnerabilities_due_date + if: ctx.json?.event?.data?.cisa_vulnerabilities instanceof List + processor: + date: + field: _ingest._value.due_date + tag: date_event_data_cisa_vulnerabilities_due_date + target_field: _ingest._value.due_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.due_date + ignore_missing: true + - foreach: + field: json.event.data.cisa_vulnerabilities + tag: foreach_event_data_cisa_vulnerabilities_used_in_ransomware + if: ctx.json?.event?.data?.cisa_vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.used_in_ransomware + tag: convert_event_data_cisa_vulnerabilities_used_in_ransomware_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.used_in_ransomware + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.cisa_vulnerabilities + tag: rename_event_data_cisa_vulnerabilities + target_field: axonius.network.event.data.cisa_vulnerabilities + ignore_missing: true + - rename: + field: json.event.data.class_name + tag: rename_event_data_class_name + target_field: axonius.network.event.data.class_name + ignore_missing: true + - rename: + field: json.event.data.class_title + tag: rename_event_data_class_title + target_field: axonius.network.event.data.class_title + ignore_missing: true + - rename: + field: json.event.data.class_type + tag: rename_event_data_class_type + target_field: axonius.network.event.data.class_type + ignore_missing: true + - rename: + field: json.event.data.cloud_provider_account_id + tag: rename_event_data_cloud_provider_account_id + target_field: axonius.network.event.data.cloud_provider_account_id + ignore_missing: true + - set: + field: cloud.account.id + tag: set_cloud_account_id_from_network_event_data_cloud_provider_account_id + copy_from: axonius.network.event.data.cloud_provider_account_id + ignore_empty_value: true + - foreach: + field: json.event.data.cmdb_business_applications + tag: foreach_event_data_cmdb_business_applications_u_crown_jewel + if: ctx.json?.event?.data?.cmdb_business_applications instanceof List + processor: + convert: + field: _ingest._value.u_crown_jewel + tag: convert_event_data_cmdb_business_applications_u_crown_jewel_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.u_crown_jewel + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.cmdb_business_applications + tag: rename_event_data_cmdb_business_applications + target_field: axonius.network.event.data.cmdb_business_applications + ignore_missing: true + - rename: + field: json.event.data.color + tag: rename_event_data_color + target_field: axonius.network.event.data.color + ignore_missing: true + - foreach: + field: json.event.data.common_users + tag: foreach_event_data_common_users + if: ctx.json?.event?.data?.common_users instanceof List + processor: + append: + field: related.user + tag: append_event_data_common_users_into_related_user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.common_users + tag: rename_event_data_common_users + target_field: axonius.network.event.data.common_users + ignore_missing: true + - rename: + field: json.event.data.company + tag: rename_event_data_company + target_field: axonius.network.event.data.company + ignore_missing: true + - convert: + field: json.event.data.confidence_level + tag: convert_event_data_confidence_level_to_long + target_field: axonius.network.event.data.confidence_level + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.connected_devices + tag: rename_event_data_connected_devices + target_field: axonius.network.event.data.connected_devices + ignore_missing: true + - rename: + field: json.event.data.cp_type + tag: rename_event_data_cp_type + target_field: axonius.network.event.data.cp_type + ignore_missing: true + - foreach: + field: json.event.data.cpus + tag: foreach_event_data_cpus_cores + if: ctx.json?.event?.data?.cpus instanceof List + processor: + convert: + field: _ingest._value.cores + tag: convert_event_data_cpus_cores_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cores + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.cpus + tag: foreach_event_data_cpus_ghz + if: ctx.json?.event?.data?.cpus instanceof List + processor: + convert: + field: _ingest._value.ghz + tag: convert_event_data_cpus_ghz_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ghz + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.cpus + tag: rename_event_data_cpus + target_field: axonius.network.event.data.cpus + ignore_missing: true + - rename: + field: json.event.data.criticality + tag: rename_event_data_criticality + target_field: axonius.network.event.data.criticality + ignore_missing: true + - rename: + field: json.event.data.custom_risk_owner + tag: rename_event_data_custom_risk_owner + target_field: axonius.network.event.data.custom_risk_owner + ignore_missing: true + - rename: + field: json.event.data.data_center + tag: rename_event_data_data_center + target_field: axonius.network.event.data.data_center + ignore_missing: true + - rename: + field: json.event.data.device_manufacturer + tag: rename_event_data_device_manufacturer + target_field: axonius.network.event.data.device_manufacturer + ignore_missing: true + - set: + field: device.manufacturer + tag: set_device_manufacturer_from_network_event_data_device_manufacturer + copy_from: axonius.network.event.data.device_manufacturer + ignore_empty_value: true + - rename: + field: json.event.data.device_serial + tag: rename_event_data_device_serial + target_field: axonius.network.event.data.device_serial + ignore_missing: true + - set: + field: device.serial_number + tag: set_device_serial_number_from_network_event_data_device_serial + copy_from: axonius.network.event.data.device_serial + ignore_empty_value: true + - append: + field: related.hosts + tag: append_network_event_data_device_serial_into_related_hosts + value: '{{{axonius.network.event.data.device_serial}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.device_serial != null + - rename: + field: json.event.data.device_state + tag: rename_event_data_device_state + target_field: axonius.network.event.data.device_state + ignore_missing: true + - rename: + field: json.event.data.device_type + tag: rename_event_data_device_type + target_field: axonius.network.event.data.device_type + ignore_missing: true + - set: + field: device.type + tag: set_device_type_from_network_event_data_device_type + copy_from: axonius.network.event.data.device_type + ignore_empty_value: true + - rename: + field: json.event.data.disk_encryption_configuration + tag: rename_event_data_disk_encryption_configuration + target_field: axonius.network.event.data.disk_encryption_configuration + ignore_missing: true + - rename: + field: json.event.data.domain + tag: rename_event_data_domain + target_field: axonius.network.event.data.domain + ignore_missing: true + - set: + field: host.domain + tag: set_host_domain_from_network_event_data_domain + copy_from: axonius.network.event.data.domain + ignore_empty_value: true + - rename: + field: json.event.data.entity_id + tag: rename_event_data_entity_id + target_field: axonius.network.event.data.entity_id + ignore_missing: true + - rename: + field: json.event.data.environment + tag: rename_event_data_environment + target_field: axonius.network.event.data.environment + ignore_missing: true + - rename: + field: json.event.data.epo_host + tag: rename_event_data_epo_host + target_field: axonius.network.event.data.epo_host + ignore_missing: true + - append: + field: related.hosts + tag: append_network_event_data_epo_host_into_related_hosts + value: '{{{axonius.network.event.data.epo_host}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.epo_host != null + - rename: + field: json.event.data.epo_id + tag: rename_event_data_epo_id + target_field: axonius.network.event.data.epo_id + ignore_missing: true + - rename: + field: json.event.data.epo_products + tag: rename_event_data_epo_products + target_field: axonius.network.event.data.epo_products + ignore_missing: true + - rename: + field: json.event.data.excluded_software_cves + tag: rename_event_data_excluded_software_cves + target_field: axonius.network.event.data.excluded_software_cves + ignore_missing: true + - rename: + field: json.event.data.external_cloud_account_id + tag: rename_event_data_external_cloud_account_id + target_field: axonius.network.event.data.external_cloud_account_id + ignore_missing: true + - convert: + field: json.event.data.external_ip + tag: convert_event_data_external_ip_to_ip + target_field: axonius.network.event.data.external_ip + type: ip + ignore_missing: true + if: ctx.json?.event?.data?.external_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_network_event_data_external_ip_into_related_ip + value: '{{{axonius.network.event.data.external_ip}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.external_ip != null + - convert: + field: json.event.data.external_nat_ip + tag: convert_event_data_external_nat_ip_to_ip + target_field: axonius.network.event.data.external_nat_ip + type: ip + ignore_missing: true + if: ctx.json?.event?.data?.external_nat_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_network_event_data_external_nat_ip_into_related_ip + value: '{{{axonius.network.event.data.external_nat_ip}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.external_nat_ip != null + - rename: + field: json.event.data.fetch_proto + tag: rename_event_data_fetch_proto + target_field: axonius.network.event.data.fetch_proto + ignore_missing: true + - rename: + field: json.event.data.__fields_to_unset__ + tag: rename_event_data___fields_to_unset__ + target_field: axonius.network.event.data.fields_to_unset + ignore_missing: true + - rename: + field: json.event.data.fingerprint + tag: rename_event_data_fingerprint + target_field: axonius.network.event.data.fingerprint + ignore_missing: true + - convert: + field: json.event.data.firewall_enabled + tag: convert_event_data_firewall_enabled_to_boolean + target_field: axonius.network.event.data.firewall_enabled + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.firewall_rules + tag: rename_event_data_firewall_rules + target_field: axonius.network.event.data.firewall_rules + ignore_missing: true + - rename: + field: json.event.data.fqdn + tag: rename_event_data_fqdn + target_field: axonius.network.event.data.fqdn + ignore_missing: true + - set: + field: host.name + tag: set_host_name_from_network_event_data_fqdn + copy_from: axonius.network.event.data.fqdn + ignore_empty_value: true + - append: + field: related.hosts + tag: append_network_event_data_fqdn_into_related_hosts + value: '{{{axonius.network.event.data.fqdn}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.fqdn != null + - convert: + field: json.event.data.free_physical_memory + tag: convert_event_data_free_physical_memory_to_double + target_field: axonius.network.event.data.free_physical_memory + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.general + tag: rename_event_data_general + target_field: axonius.network.event.data.general + ignore_missing: true + - foreach: + field: json.event.data.generic_encryption + tag: foreach_event_data_generic_encryption_status + if: ctx.json?.event?.data?.generic_encryption instanceof List + processor: + convert: + field: _ingest._value.status + tag: convert_event_data_generic_encryption_status_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.status + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.generic_encryption + tag: rename_event_data_generic_encryption + target_field: axonius.network.event.data.generic_encryption + ignore_missing: true + - convert: + field: json.event.data.ghost + tag: convert_event_data_ghost_to_boolean + target_field: axonius.network.event.data.ghost + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.guest_dns_name + tag: rename_event_data_guest_dns_name + target_field: axonius.network.event.data.guest_dns_name + ignore_missing: true + - append: + field: host.name + tag: append_axonius_network_event_data_guest_dns_name_into_host_name + value: '{{{axonius.network.event.data.guest_dns_name}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.guest_dns_name != null + - append: + field: related.hosts + tag: append_network_event_data_guest_dns_name_into_related_hosts + value: '{{{axonius.network.event.data.guest_dns_name}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.guest_dns_name != null + - rename: + field: json.event.data.guest_family + tag: rename_event_data_guest_family + target_field: axonius.network.event.data.guest_family + ignore_missing: true + - rename: + field: json.event.data.guest_name + tag: rename_event_data_guest_name + target_field: axonius.network.event.data.guest_name + ignore_missing: true + - rename: + field: json.event.data.guest_state + tag: rename_event_data_guest_state + target_field: axonius.network.event.data.guest_state + ignore_missing: true + - convert: + field: json.event.data.hard_drives.free_size + tag: convert_event_data_hard_drives_free_size_to_double + target_field: axonius.network.event.data.hard_drives.free_size + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.hard_drives.is_encrypted + tag: convert_event_data_hard_drives_is_encrypted_to_boolean + target_field: axonius.network.event.data.hard_drives.is_encrypted + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.hard_drives.total_size + tag: convert_event_data_hard_drives_total_size_to_double + target_field: axonius.network.event.data.hard_drives.total_size + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.hardware_status + tag: rename_event_data_hardware_status + target_field: axonius.network.event.data.hardware_status + ignore_missing: true + - rename: + field: json.event.data.hostname + tag: rename_event_data_hostname + target_field: axonius.network.event.data.hostname + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname_from_network_event_data_hostname + copy_from: axonius.network.event.data.hostname + ignore_empty_value: true + - append: + field: related.hosts + tag: append_network_event_data_hostname_into_related_hosts + value: '{{{axonius.network.event.data.hostname}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.hostname != null + - rename: + field: json.event.data.in_groups + tag: rename_event_data_in_groups + target_field: axonius.network.event.data.in_groups + ignore_missing: true + - rename: + field: json.event.data.install_status + tag: rename_event_data_install_status + target_field: axonius.network.event.data.install_status + ignore_missing: true + - rename: + field: json.event.data.installed_software + tag: rename_event_data_installed_software + target_field: axonius.network.event.data.installed_software + ignore_missing: true + - rename: + field: json.event.data.ip_address_guid + tag: rename_event_data_ip_address_guid + target_field: axonius.network.event.data.ip_address_guid + ignore_missing: true + - convert: + field: json.event.data.is_authenticated_scan + tag: convert_event_data_is_authenticated_scan_to_boolean + target_field: axonius.network.event.data.is_authenticated_scan + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.is_fragile + tag: convert_event_data_is_fragile_to_boolean + target_field: axonius.network.event.data.is_fragile + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.is_latest_last_seen + tag: convert_event_data_is_latest_last_seen_to_boolean + target_field: axonius.network.event.data.is_latest_last_seen + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.is_managed + tag: convert_event_data_is_managed_to_boolean + target_field: axonius.network.event.data.is_managed + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.is_network_infra_device + tag: convert_event_data_is_network_infra_device_to_boolean + target_field: axonius.network.event.data.is_network_infra_device + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.network_interfaces + tag: foreach_event_data_network_interfaces_ips_v4 + if: ctx.json?.event?.data?.network_interfaces instanceof List + processor: + gsub: + field: _ingest._value.mac + tag: gsub_event_data_network_interfaces_mac + pattern: ':' + replacement: '-' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.network_interfaces + tag: foreach_event_data_network_interfaces_ips_v4 + if: ctx.json?.event?.data?.network_interfaces instanceof List + processor: + uppercase: + field: _ingest._value.mac + tag: uppercase_event_data_network_interfaces_mac + ignore_missing: true + - convert: + field: json.event.data.is_purchased + tag: convert_event_data_is_purchased_to_boolean + target_field: axonius.network.event.data.is_purchased + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.is_safe + tag: convert_event_data_is_safe_to_boolean + target_field: axonius.network.event.data.is_safe + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.jamf_groups + tag: rename_event_data_jamf_groups + target_field: axonius.network.event.data.jamf_groups + ignore_missing: true + - foreach: + field: json.event.data.jamf_groups_detailed + tag: foreach_event_data_jamf_groups_detailed_smart_group + if: ctx.json?.event?.data?.jamf_groups_detailed instanceof List + processor: + convert: + field: _ingest._value.smart_group + tag: convert_event_data_jamf_groups_detailed_smart_group_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.smart_group + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.jamf_groups_detailed + tag: foreach_event_data_jamf_groups_detailed_group_id + if: ctx.json?.event?.data?.jamf_groups_detailed instanceof List + processor: + convert: + field: _ingest._value.group_id + tag: convert_event_data_jamf_groups_detailed_group_id_to_string + type: string + ignore_missing: true + - rename: + field: json.event.data.jamf_groups_detailed + tag: rename_event_data_jamf_groups_detailed + target_field: axonius.network.event.data.jamf_groups_detailed + ignore_missing: true + - convert: + field: json.event.data.jamf_id + tag: convert_event_data_jamf_id_into_keyword + type: string + target_field: axonius.network.event.data.jamf_id + ignore_missing: true + - rename: + field: json.event.data.jamf_location.building + tag: rename_event_data_jamf_location_building + target_field: axonius.network.event.data.jamf_location.building + ignore_missing: true + - rename: + field: json.event.data.jamf_location.email_address + tag: rename_event_data_jamf_location_email_address + target_field: axonius.network.event.data.jamf_location.email_address + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_jamf_location_email_address_into_related_user + value: '{{{axonius.network.event.data.jamf_location.email_address}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.jamf_location?.email_address != null + - rename: + field: json.event.data.jamf_location.phone_number + tag: rename_event_data_jamf_location_phone_number + target_field: axonius.network.event.data.jamf_location.phone_number + ignore_missing: true + - rename: + field: json.event.data.jamf_location.position + tag: rename_event_data_jamf_location_position + target_field: axonius.network.event.data.jamf_location.position + ignore_missing: true + - rename: + field: json.event.data.jamf_location.real_name + tag: rename_event_data_jamf_location_real_name + target_field: axonius.network.event.data.jamf_location.real_name + ignore_missing: true + - convert: + field: json.event.data.jamf_location.room + tag: convert_event_data_jamf_location_room_to_long + target_field: axonius.network.event.data.jamf_location.room + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.jamf_location.username + tag: rename_event_data_jamf_location_username + target_field: axonius.network.event.data.jamf_location.username + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_jamf_location_username_into_related_user + value: '{{{axonius.network.event.data.jamf_location.username}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.jamf_location?.username != null + - rename: + field: json.event.data.jamf_version + tag: rename_event_data_jamf_version + target_field: axonius.network.event.data.jamf_version + ignore_missing: true + - date: + field: json.event.data.last_agent_import + tag: date_event_data_last_agent_import + target_field: axonius.network.event.data.last_agent_import + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_agent_import != null && ctx.json.event.data.last_agent_import != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.last_auth_run + tag: date_event_data_last_auth_run + target_field: axonius.network.event.data.last_auth_run + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_auth_run != null && ctx.json.event.data.last_auth_run != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.last_contact_time + tag: date_event_data_last_contact_time + target_field: axonius.network.event.data.last_contact_time + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_contact_time != null && ctx.json.event.data.last_contact_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.last_enrolled_date_utc + tag: date_event_data_last_enrolled_date_utc + target_field: axonius.network.event.data.last_enrolled_date_utc + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_enrolled_date_utc != null && ctx.json.event.data.last_enrolled_date_utc != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.last_scan + tag: date_event_data_last_scan + target_field: axonius.network.event.data.last_scan + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_scan != null && ctx.json.event.data.last_scan != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.last_seen_agents + tag: date_event_data_last_seen_agents + target_field: axonius.network.event.data.last_seen_agents + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_seen_agents != null && ctx.json.event.data.last_seen_agents != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.last_unauth_run + tag: date_event_data_last_unauth_run + target_field: axonius.network.event.data.last_unauth_run + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.last_unauth_run != null && ctx.json.event.data.last_unauth_run != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.last_used_users + tag: foreach_event_data_last_used_users + if: ctx.json?.event?.data?.last_used_users instanceof List + processor: + append: + field: related.user + tag: append_event_data_last_used_users_into_related_user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.last_used_users + tag: rename_event_data_last_used_users + target_field: axonius.network.event.data.last_used_users + ignore_missing: true + - rename: + field: json.event.data.last_used_users_departments_association + tag: rename_event_data_last_used_users_departments_association + target_field: axonius.network.event.data.last_used_users_departments_association + ignore_missing: true + - rename: + field: json.event.data.last_used_users_email_domain_association + tag: rename_event_data_last_used_users_email_domain_association + target_field: axonius.network.event.data.last_used_users_email_domain_association + ignore_missing: true + - rename: + field: json.event.data.last_used_users_internal_axon_id_association + tag: rename_event_data_last_used_users_internal_axon_id_association + target_field: axonius.network.event.data.last_used_users_internal_axon_id_association + ignore_missing: true + - foreach: + field: json.event.data.last_used_users_mail_association + tag: foreach_event_data_last_used_users_mail_association + if: ctx.json?.event?.data?.last_used_users_mail_association instanceof List + processor: + append: + field: related.user + tag: append_event_data_last_used_users_mail_association_into_related_user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.last_used_users_mail_association + tag: rename_event_data_last_used_users_mail_association + target_field: axonius.network.event.data.last_used_users_mail_association + ignore_missing: true + - foreach: + field: json.event.data.last_used_users_user_manager_association + tag: foreach_event_data_last_used_users_user_manager_association + if: ctx.json?.event?.data?.last_used_users_user_manager_association instanceof List + processor: + append: + field: related.user + tag: append_event_data_last_used_users_user_manager_association_into_related_user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.last_used_users_user_manager_association + tag: rename_event_data_last_used_users_user_manager_association + target_field: axonius.network.event.data.last_used_users_user_manager_association + ignore_missing: true + - foreach: + field: json.event.data.last_used_users_user_manager_mail_association + tag: foreach_event_data_last_used_users_user_manager_mail_association + if: ctx.json?.event?.data?.last_used_users_user_manager_mail_association instanceof List + processor: + append: + field: related.user + tag: append_event_data_last_used_users_user_manager_mail_association_into_related_user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.event.data.last_used_users_user_manager_mail_association + tag: rename_event_data_last_used_users_user_manager_mail_association + target_field: axonius.network.event.data.last_used_users_user_manager_mail_association + ignore_missing: true + - rename: + field: json.event.data.last_used_users_user_status_association + tag: rename_event_data_last_used_users_user_status_association + target_field: axonius.network.event.data.last_used_users_user_status_association + ignore_missing: true + - rename: + field: json.event.data.last_used_users_user_title_association + tag: rename_event_data_last_used_users_user_title_association + target_field: axonius.network.event.data.last_used_users_user_title_association + ignore_missing: true + - rename: + field: json.event.data.latest_used_user + tag: rename_event_data_latest_used_user + target_field: axonius.network.event.data.latest_used_user + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_latest_used_user_into_related_user + value: '{{{axonius.network.event.data.latest_used_user}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.latest_used_user != null + - rename: + field: json.event.data.latest_used_user_department + tag: rename_event_data_latest_used_user_department + target_field: axonius.network.event.data.latest_used_user_department + ignore_missing: true + - rename: + field: json.event.data.latest_used_user_email_domain + tag: rename_event_data_latest_used_user_email_domain + target_field: axonius.network.event.data.latest_used_user_email_domain + ignore_missing: true + - rename: + field: json.event.data.latest_used_user_mail + tag: rename_event_data_latest_used_user_mail + target_field: axonius.network.event.data.latest_used_user_mail + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_latest_used_user_mail_into_related_user + value: '{{{axonius.network.event.data.latest_used_user_mail}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.latest_used_user_mail != null + - rename: + field: json.event.data.latest_used_user_user_manager + tag: rename_event_data_latest_used_user_user_manager + target_field: axonius.network.event.data.latest_used_user_user_manager + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_latest_used_user_user_manager_into_related_user + value: '{{{axonius.network.event.data.latest_used_user_user_manager}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.latest_used_user_user_manager != null + - rename: + field: json.event.data.latest_used_user_user_status + tag: rename_event_data_latest_used_user_user_status + target_field: axonius.network.event.data.latest_used_user_user_status + ignore_missing: true + - rename: + field: json.event.data.latest_used_user_user_title + tag: rename_event_data_latest_used_user_user_title + target_field: axonius.network.event.data.latest_used_user_user_title + ignore_missing: true + - foreach: + field: json.event.data.linked_tickets + tag: foreach_event_data_linked_tickets + if: ctx.json?.event?.data?.linked_tickets instanceof List + processor: + date: + field: _ingest._value.created + tag: date_event_data_linked_tickets_created + target_field: _ingest._value.created + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.created + ignore_missing: true + - foreach: + field: json.event.data.linked_tickets + tag: foreach_event_data_linked_tickets + if: ctx.json?.event?.data?.linked_tickets instanceof List + processor: + date: + field: _ingest._value.updated + tag: date_event_data_linked_tickets_updated + target_field: _ingest._value.updated + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.updated + ignore_missing: true + - rename: + field: json.event.data.linked_tickets + tag: rename_event_data_linked_tickets + target_field: axonius.network.event.data.linked_tickets + ignore_missing: true + - rename: + field: json.event.data.lock + tag: rename_event_data_lock + target_field: axonius.network.event.data.lock + ignore_missing: true + - rename: + field: json.event.data.meeting_id + tag: rename_event_data_meeting_id + target_field: axonius.network.event.data.meeting_id + ignore_missing: true + - rename: + field: json.event.data.microphone + tag: rename_event_data_microphone + target_field: axonius.network.event.data.microphone + ignore_missing: true + - foreach: + field: json.event.data.nat_policy_ips + tag: foreach_event_data_nat_policy_ips_address + if: ctx.json?.event?.data?.nat_policy_ips instanceof List + processor: + convert: + field: _ingest._value.address + tag: convert_event_data_nat_policy_ips_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.nat_policy_ips + tag: foreach_event_data_nat_policy_ips_address + if: ctx.json?.event?.data?.nat_policy_ips instanceof List + processor: + append: + field: related.ip + tag: append_event_data_nat_policy_ips_address_into_related_ip + value: '{{{_ingest._value.address}}}' + allow_duplicates: false + - foreach: + field: json.event.data.nat_policy_ips + tag: foreach_event_data_nat_policy_ips_rule_num + if: ctx.json?.event?.data?.nat_policy_ips instanceof List + processor: + convert: + field: _ingest._value.rule_num + tag: convert_event_data_nat_policy_ips_rule_num_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.rule_num + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.nat_policy_ips + tag: rename_event_data_nat_policy_ips + target_field: axonius.network.event.data.nat_policy_ips + ignore_missing: true + - rename: + field: json.event.data.network + tag: rename_event_data_network + target_field: axonius.network.event.data.network + ignore_missing: true + - foreach: + field: json.event.data.network_interfaces + tag: foreach_event_data_network_interfaces_ips + if: ctx.json?.event?.data?.network_interfaces instanceof List + processor: + foreach: + field: _ingest._value.ips + tag: foreach_event_data_network_interfaces_ips + ignore_missing: true + processor: + append: + field: related.ip + tag: append_event_data_network_interfaces_ips_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: json.event.data.network_interfaces + tag: foreach_event_data_network_interfaces_ips_raw + if: ctx.json?.event?.data?.network_interfaces instanceof List + processor: + foreach: + field: _ingest._value.ips_raw + tag: foreach_event_data_network_interfaces_ips_raw + ignore_missing: true + processor: + convert: + field: _ingest._value + tag: convert_event_data_network_interfaces_ips_raw_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.network_interfaces + tag: foreach_event_data_network_interfaces_ips_v4_raw + if: ctx.json?.event?.data?.network_interfaces instanceof List + processor: + foreach: + field: _ingest._value.ips_v4_raw + tag: foreach_event_data_network_interfaces_ips_v4_raw + ignore_missing: true + processor: + convert: + field: _ingest._value + tag: convert_event_data_network_interfaces_ips_v4_raw_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.network_interfaces + tag: rename_event_data_network_interfaces + target_field: axonius.network.event.data.network_interfaces + ignore_missing: true + - rename: + field: json.event.data.network_status + tag: rename_event_data_network_status + target_field: axonius.network.event.data.network_status + ignore_missing: true + - rename: + field: json.event.data.network_type + tag: rename_event_data_network_type + target_field: axonius.network.event.data.network_type + ignore_missing: true + - convert: + field: json.event.data.nexpose_id + tag: convert_event_data_nexpose_id_into_keyword + type: string + target_field: axonius.network.event.data.nexpose_id + ignore_missing: true + - rename: + field: json.event.data.nexpose_type + tag: rename_event_data_nexpose_type + target_field: axonius.network.event.data.nexpose_type + ignore_missing: true + - rename: + field: json.event.data.node_id + tag: rename_event_data_node_id + target_field: axonius.network.event.data.node_id + ignore_missing: true + - rename: + field: json.event.data.node_name + tag: rename_event_data_node_name + target_field: axonius.network.event.data.node_name + ignore_missing: true + - foreach: + field: json.event.data.normalization_reasons + tag: foreach_event_data_normalization_reasons_calculated_time + if: ctx.json?.event?.data?.normalization_reasons instanceof List + processor: + date: + field: _ingest._value.calculated_time + tag: date_event_data_normalization_reasons_calculated_time + target_field: _ingest._value.calculated_time + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.calculated_time + ignore_missing: true + - foreach: + field: json.event.data.normalization_reasons + tag: foreach_event_data_normalization_reasons_reason + if: ctx.json?.event?.data?.normalization_reasons instanceof List + processor: + append: + field: event.reason + tag: append_event_data_normalization_reasons_reason_into_event_reason + value: '{{{_ingest._value.reason}}}' + allow_duplicates: false + - rename: + field: json.event.data.normalization_reasons + tag: rename_event_data_normalization_reasons + target_field: axonius.network.event.data.normalization_reasons + ignore_missing: true + - foreach: + field: json.event.data.open_ports + tag: foreach_event_data_open_ports_port_id + if: ctx.json?.event?.data?.open_ports instanceof List + processor: + convert: + field: _ingest._value.port_id + tag: convert_event_data_open_ports_port_id_to_keyword + type: string + ignore_missing: true + - rename: + field: json.event.data.open_ports + tag: rename_event_data_open_ports + target_field: axonius.network.event.data.open_ports + ignore_missing: true + - rename: + field: json.event.data.operational_status + tag: rename_event_data_operational_status + target_field: axonius.network.event.data.operational_status + ignore_missing: true + - rename: + field: json.event.data.organizational_unit + tag: event_data_organizational_unit + target_field: axonius.network.event.data.organizational_unit + ignore_missing: true + - rename: + field: json.event.data.os.codename + tag: rename_event_data_os_codename + target_field: axonius.network.event.data.os.codename + ignore_missing: true + - rename: + field: json.event.data.os.distribution + tag: rename_event_data_os_distribution + target_field: axonius.network.event.data.os.distribution + ignore_missing: true + - rename: + field: json.event.data.os.distribution_name + tag: rename_event_data_os_distribution_name + target_field: axonius.network.event.data.os.distribution_name + ignore_missing: true + - set: + field: host.os.family + tag: set_host_os_family_from_network_event_data_os_distribution_name + copy_from: axonius.network.event.data.os.distribution_name + ignore_empty_value: true + - lowercase: + field: host.os.family + tag: lowercase_host_os_family + ignore_missing: true + - date: + field: json.event.data.os.end_of_life + tag: date_event_data_os_end_of_life + target_field: axonius.network.event.data.os.end_of_life + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.os?.end_of_life != null && ctx.json.event.data.os.end_of_life != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.os.end_of_support + tag: date_event_data_os_end_of_support + target_field: axonius.network.event.data.os.end_of_support + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.os?.end_of_support != null && ctx.json.event.data.os.end_of_support != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.os.is_end_of_life + tag: convert_event_data_os_is_end_of_life_to_boolean + target_field: axonius.network.event.data.os.is_end_of_life + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.os.is_end_of_support + tag: convert_event_data_os_is_end_of_support_to_boolean + target_field: axonius.network.event.data.os.is_end_of_support + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.os.is_latest_os_version + tag: convert_event_data_os_is_latest_os_version_to_boolean + target_field: axonius.network.event.data.os.is_latest_os_version + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.os.is_windows_server + tag: convert_event_data_os_is_windows_server_to_boolean + target_field: axonius.network.event.data.os.is_windows_server + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.os.latest_os_version + tag: rename_event_data_os_latest_os_version + target_field: axonius.network.event.data.os.latest_os_version + ignore_missing: true + - set: + field: host.os.version + tag: set_host_os_version_from_network_event_data_os_latest_os_version + copy_from: axonius.network.event.data.os.latest_os_version + ignore_empty_value: true + - convert: + field: json.event.data.os.major + tag: convert_event_data_os_major_to_long + target_field: axonius.network.event.data.os.major + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.os.minor + tag: convert_event_data_os_minor_to_long + target_field: axonius.network.event.data.os.minor + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.os.os_cpe + tag: rename_event_data_os_os_cpe + target_field: axonius.network.event.data.os.os_cpe + ignore_missing: true + - convert: + field: json.event.data.os.os_dotted + tag: convert_event_data_os_os_dotted_to_keyword + target_field: axonius.network.event.data.os.os_dotted + type: string + ignore_missing: true + - convert: + field: json.event.data.os.os_dotted_raw + tag: convert_event_data_os_os_dotted_raw_to_long + target_field: axonius.network.event.data.os.os_dotted_raw + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.os.os_str + tag: rename_event_data_os_os_str + target_field: axonius.network.event.data.os.os_str + ignore_missing: true + - rename: + field: json.event.data.os.type + tag: rename_event_data_os_type + target_field: axonius.network.event.data.os.type + ignore_missing: true + - set: + field: host.os.type + tag: set_host_os_type_from_network_event_data_os_type + copy_from: axonius.network.event.data.os.type + if: >- + ctx.axonius?.network?.event?.data?.os?.type != null && ( + ctx.axonius.network.event.data.os.type.toLowerCase().contains('linux') || + ctx.axonius.network.event.data.os.type.toLowerCase().contains('macos') || + ctx.axonius.network.event.data.os.type.toLowerCase().contains('unix') || + ctx.axonius.network.event.data.os.type.toLowerCase().contains('windows') || + ctx.axonius.network.event.data.os.type.toLowerCase().contains('ios') || + ctx.axonius.network.event.data.os.type.toLowerCase().contains('android') + ) + ignore_empty_value: true + - lowercase: + field: host.os.type + tag: lowercase_host_os_type + ignore_missing: true + - rename: + field: json.event.data.os.type_distribution + tag: rename_event_data_os_type_distribution + target_field: axonius.network.event.data.os.type_distribution + ignore_missing: true + - set: + field: host.os.full + tag: set_host_os_full_from_network_event_data_os_type_distribution + copy_from: axonius.network.event.data.os.type_distribution + ignore_empty_value: true + - foreach: + field: json.event.data.os_ext_attributes + tag: foreach_event_data_os_ext_attributes_is_enabled + if: ctx.json?.event?.data?.os_ext_attributes instanceof List + processor: + convert: + field: _ingest._value.is_enabled + tag: convert_event_data_os_ext_attributes_is_enabled_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_enabled + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.os_ext_attributes + tag: foreach_event_data_os_ext_attributes_definition_id + if: ctx.json?.event?.data?.os_ext_attributes instanceof List + processor: + convert: + field: _ingest._value.definition_id + tag: convert_event_data_os_ext_attributes_definition_id_to_keyword + type: string + ignore_missing: true + - foreach: + field: json.event.data.os_ext_attributes + tag: foreach_event_data_os_ext_attributes_is_multivalue + if: ctx.json?.event?.data?.os_ext_attributes instanceof List + processor: + convert: + field: _ingest._value.is_multivalue + tag: convert_event_data_os_ext_attributes_is_multivalue_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_multivalue + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.os_ext_attributes + tag: rename_event_data_os_ext_attributes + target_field: axonius.network.event.data.os_ext_attributes + ignore_missing: true + - rename: + field: json.event.data.owner + tag: rename_event_data_owner + target_field: axonius.network.event.data.owner + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_owner_into_related_user + value: '{{{axonius.network.event.data.owner}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.owner != null + - rename: + field: json.event.data.paloalto_device_type + tag: rename_event_data_paloalto_device_type + target_field: axonius.network.event.data.paloalto_device_type + ignore_missing: true + - convert: + field: json.event.data.part_of_domain + tag: convert_event_data_part_of_domain_to_boolean + target_field: axonius.network.event.data.part_of_domain + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.physical_location + tag: rename_event_data_physical_location + target_field: axonius.network.event.data.physical_location + ignore_missing: true + - convert: + field: json.event.data.physical_memory_percentage + tag: convert_event_data_physical_memory_percentage_to_double + target_field: axonius.network.event.data.physical_memory_percentage + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_cve + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + append: + field: vulnerability.id + tag: append_event_data_plugin_and_severities_cve_into_vulnerability_id + value: '{{{_ingest._value.cve}}}' + allow_duplicates: false + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_cvss_base_score + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.cvss_base_score + tag: convert_event_data_plugin_and_severities_cvss_base_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss_base_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_family_id + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.family.id + tag: convert_event_data_plugin_and_severities_family_id_to_keyword + type: string + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_plugin_id + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.plugin_id + tag: convert_event_data_plugin_and_severities_plugin_id_to_keyword + type: string + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_plugin_id_number + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.plugin_id_number + tag: convert_event_data_plugin_and_severities_plugin_id_number_to_keyword + type: string + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_days_seen + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.days_seen + tag: convert_event_data_plugin_and_severities_days_seen_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.days_seen + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_exploit_available + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.exploit_available + tag: convert_event_data_plugin_and_severities_exploit_available_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.exploit_available + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_first_found + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + date: + field: _ingest._value.first_found + tag: date_event_data_plugin_and_severities_first_found + target_field: _ingest._value.first_found + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.first_found + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_first_seen + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + date: + field: _ingest._value.first_seen + tag: date_event_data_plugin_and_severities_first_seen + target_field: _ingest._value.first_seen + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.first_seen + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_has_been_mitigated + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.has_been_mitigated + tag: convert_event_data_plugin_and_severities_has_been_mitigated_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.has_been_mitigated + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_has_patch + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.has_patch + tag: convert_event_data_plugin_and_severities_has_patch_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.has_patch + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_last_fixed + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + date: + field: _ingest._value.last_fixed + tag: date_event_data_plugin_and_severities_last_fixed + target_field: _ingest._value.last_fixed + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.last_fixed + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_last_found + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + date: + field: _ingest._value.last_found + tag: date_event_data_plugin_and_severities_last_found + target_field: _ingest._value.last_found + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.last_found + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_last_seen + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + date: + field: _ingest._value.last_seen + tag: date_event_data_plugin_and_severities_last_seen + target_field: _ingest._value.last_seen + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.last_seen + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_mitigated + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.mitigated + tag: convert_event_data_plugin_and_severities_mitigated_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.mitigated + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance_display_superseded_patches + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.display_superseded_patches + tag: convert_event_data_plugin_and_severities_nessus_instance_display_superseded_patches_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nessus_instance.display_superseded_patches + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance.plugin_feed_version + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.plugin_feed_version + tag: convert_event_data_plugin_and_severities_nessus_instance.plugin_feed_version_to_keyword + type: string + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance_experimental_tests + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.experimental_tests + tag: convert_event_data_plugin_and_severities_nessus_instance_experimental_tests_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nessus_instance.experimental_tests + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance_report_verbosity + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.report_verbosity + tag: convert_event_data_plugin_and_severities_nessus_instance_report_verbosity_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nessus_instance.report_verbosity + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance_safe_check + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.safe_check + tag: convert_event_data_plugin_and_severities_nessus_instance_safe_check_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nessus_instance.safe_check + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance_scanner_ip + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.scanner_ip + tag: convert_event_data_plugin_and_severities_nessus_instance_scanner_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nessus_instance.scanner_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_nessus_instance_thorough_tests + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.nessus_instance.thorough_tests + tag: convert_event_data_plugin_and_severities_nessus_instance_thorough_tests_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nessus_instance.thorough_tests + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_patch_publication_date + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + date: + field: _ingest._value.patch_publication_date + tag: date_event_data_plugin_and_severities_patch_publication_date + target_field: _ingest._value.patch_publication_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.patch_publication_date + ignore_missing: true + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_severity + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + append: + field: vulnerability.severity + tag: append_event_data_plugin_and_severities_severity_into_vulnerability_severity + value: '{{{_ingest._value.severity}}}' + allow_duplicates: false + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_unsupported_by_vendor + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.unsupported_by_vendor + tag: convert_event_data_plugin_and_severities_unsupported_by_vendor_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.unsupported_by_vendor + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.plugin_and_severities + tag: foreach_event_data_plugin_and_severities_vpr_score + if: ctx.json?.event?.data?.plugin_and_severities instanceof List + processor: + convert: + field: _ingest._value.vpr_score + tag: convert_event_data_plugin_and_severities_vpr_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.vpr_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.plugin_and_severities + tag: rename_event_data_plugin_and_severities + target_field: axonius.network.event.data.plugin_and_severities + ignore_missing: true + - rename: + field: json.event.data.policy_id + tag: rename_event_data_policy_id + target_field: axonius.network.event.data.policy_id + ignore_missing: true + - rename: + field: json.event.data.policy_name + tag: rename_event_data_policy_name + target_field: axonius.network.event.data.policy_name + ignore_missing: true + - rename: + field: json.event.data.power_state + tag: rename_event_data_power_state + target_field: axonius.network.event.data.power_state + ignore_missing: true + - rename: + field: json.event.data.ranger_version + tag: rename_event_data_ranger_version + target_field: axonius.network.event.data.ranger_version + ignore_missing: true + - rename: + field: json.event.data.raw_hostname + tag: rename_event_data_raw_hostname + target_field: axonius.network.event.data.raw_hostname + ignore_missing: true + - append: + field: related.hosts + tag: append_network_event_data_raw_hostname_into_related_hosts + value: '{{{axonius.network.event.data.raw_hostname}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.raw_hostname != null + - convert: + field: json.event.data.read_only + tag: convert_event_data_read_only_to_boolean + target_field: axonius.network.event.data.read_only + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.recording + tag: convert_event_data_recording_to_boolean + target_field: axonius.network.event.data.recording + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.relative_path + tag: rename_event_data_relative_path + target_field: axonius.network.event.data.relative_path + ignore_missing: true + - date: + field: json.event.data.report_date + tag: date_event_data_report_date + target_field: axonius.network.event.data.report_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.report_date != null && ctx.json.event.data.report_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.resource_group + tag: rename_event_data_resource_group + target_field: axonius.network.event.data.resource_group + ignore_missing: true + - convert: + field: json.event.data.risk_level + tag: convert_event_data_risk_level_to_long + target_field: axonius.network.event.data.risk_level + type: long + ignore_missing: true + on_failure: + - rename: + field: json.event.data.risk_level + target_field: axonius.network.event.data.risk_level_value + ignore_missing: true + - foreach: + field: json.event.data.scan_results_objs + tag: foreach_event_data_scan_results_objs_id + if: ctx.json?.event?.data?.scan_results_objs instanceof List + processor: + convert: + field: _ingest._value.id + type: string + tag: convert_event_data_scan_results_objs_id_into_string + ignore_missing: true + - rename: + field: json.event.data.scan_results + tag: rename_event_data_scan_results + target_field: axonius.network.event.data.scan_results + ignore_missing: true + - rename: + field: json.event.data.scan_results_objs + tag: rename_event_data_scan_results_objs + target_field: axonius.network.event.data.scan_results_objs + ignore_missing: true + - convert: + field: json.event.data.scanner + tag: convert_event_data_scanner_to_boolean + target_field: axonius.network.event.data.scanner + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event.data.security_updates_last_changed + tag: date_event_data_security_updates_last_changed + target_field: axonius.network.event.data.security_updates_last_changed + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.security_updates_last_changed != null && ctx.json.event.data.security_updates_last_changed != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.security_updates_status + tag: rename_event_data_security_updates_status + target_field: axonius.network.event.data.security_updates_status + ignore_missing: true + - rename: + field: json.event.data.services + tag: rename_event_data_services + target_field: axonius.network.event.data.services + ignore_missing: true + - convert: + field: json.event.data.severity_critical + tag: convert_event_data_severity_critical_to_long + target_field: axonius.network.event.data.severity_critical + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.severity_high + tag: convert_event_data_severity_high_to_long + target_field: axonius.network.event.data.severity_high + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.severity_info + tag: convert_event_data_severity_info_to_long + target_field: axonius.network.event.data.severity_info + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.severity_low + tag: convert_event_data_severity_low_to_long + target_field: axonius.network.event.data.severity_low + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.severity_medium + tag: convert_event_data_severity_medium_to_long + target_field: axonius.network.event.data.severity_medium + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.share_application + tag: convert_event_data_share_application_to_boolean + target_field: axonius.network.event.data.share_application + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.share_desktop + tag: convert_event_data_share_desktop_to_boolean + target_field: axonius.network.event.data.share_desktop + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.share_whiteboard + tag: convert_event_data_share_whiteboard_to_boolean + target_field: axonius.network.event.data.share_whiteboard + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.sip_status + tag: convert_event_data_sip_status_to_boolean + target_field: axonius.network.event.data.sip_status + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.site_name + tag: rename_event_data_site_name + target_field: axonius.network.event.data.site_name + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_axonius_risk_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.axonius_risk_score + tag: convert_event_data_software_cves_axonius_risk_score_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.axonius_risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_axonius_status_last_update + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + date: + field: _ingest._value.axonius_status_last_update + tag: date_event_data_software_cves_axonius_status_last_update + target_field: _ingest._value.axonius_status_last_update + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.axonius_status_last_update + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cve_from_sw_analysis + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cve_from_sw_analysis + tag: convert_event_data_software_cves_cve_from_sw_analysis_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cve_from_sw_analysis + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cvss2_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cvss2_score + tag: convert_event_data_software_cves_cvss2_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss2_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cvss2_score_num + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cvss2_score_num + tag: convert_event_data_software_cves_cvss2_score_num_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss2_score_num + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cvss3_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cvss3_score + tag: convert_event_data_software_cves_cvss3_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss3_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cvss3_score_num + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cvss3_score_num + tag: convert_event_data_software_cves_cvss3_score_num_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss3_score_num + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cvss4_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cvss4_score + tag: convert_event_data_software_cves_cvss4_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss4_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cvss4_score_num + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cvss4_score_num + tag: convert_event_data_software_cves_cvss4_score_num_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cvss4_score_num + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_cwe_id + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.cwe_id + tag: convert_event_data_software_cves_cwe_id_to_string + type: string + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_epss_creation_date + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + date: + field: _ingest._value.epss.creation_date + tag: date_event_data_software_cves_epss_creation_date + target_field: _ingest._value.epss.creation_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.epss.creation_date + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_epss_percentile + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.epss.percentile + tag: convert_event_data_software_cves_epss_percentile_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.epss.percentile + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_epss_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.epss.score + tag: convert_event_data_software_cves_epss_score_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.epss.score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_exploitability_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.exploitability_score + tag: convert_event_data_software_cves_exploitability_score_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.exploitability_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_first_fetch_time + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + date: + field: _ingest._value.first_fetch_time + tag: date_event_data_software_cves_first_fetch_time + target_field: _ingest._value.first_fetch_time + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.first_fetch_time + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_hash_id + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + append: + field: related.hash + tag: append_event_data_software_cves_hash_id_into_related_hash + value: '{{{_ingest._value.hash_id}}}' + allow_duplicates: false + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_impact_score + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.impact_score + tag: convert_event_data_software_cves_impact_score_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.impact_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_last_fetch_time + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + date: + field: _ingest._value.last_fetch_time + tag: date_event_data_software_cves_last_fetch_time + target_field: _ingest._value.last_fetch_time + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.last_fetch_time + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_last_modified_date + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + date: + field: _ingest._value.last_modified_date + tag: date_event_data_software_cves_last_modified_date + target_field: _ingest._value.last_modified_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.last_modified_date + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_mitigated + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.mitigated + tag: convert_event_data_software_cves_mitigated_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.mitigated + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_nvd_publish_age + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + convert: + field: _ingest._value.nvd_publish_age + tag: convert_event_data_software_cves_nvd_publish_age_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nvd_publish_age + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_publish_date + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + date: + field: _ingest._value.publish_date + tag: date_event_data_software_cves_publish_date + target_field: _ingest._value.publish_date + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.publish_date + ignore_missing: true + - foreach: + field: json.event.data.software_cves + tag: foreach_event_data_software_cves_solution_hash_id + if: ctx.json?.event?.data?.software_cves instanceof List + processor: + append: + field: related.hash + tag: append_event_data_software_cves_solution_hash_id_into_related_hash + value: '{{{_ingest._value.solution_hash_id}}}' + allow_duplicates: false + - rename: + field: json.event.data.software_cves + tag: rename_event_data_software_cves + target_field: axonius.network.event.data.software_cves + ignore_missing: true + - rename: + field: json.event.data.speaker + tag: rename_event_data_speaker + target_field: axonius.network.event.data.speaker + ignore_missing: true + - convert: + field: json.event.data.special_hint + tag: convert_event_data_special_hint_to_long + target_field: axonius.network.event.data.special_hint + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.special_hint_underscore + tag: rename_event_data_special_hint_underscore + target_field: axonius.network.event.data.special_hint_underscore + ignore_missing: true + - rename: + field: json.event.data.subnet_tag + tag: rename_event_data_subnet_tag + target_field: axonius.network.event.data.subnet_tag + ignore_missing: true + - convert: + field: json.event.data.swap_free + tag: convert_event_data_swap_free_to_double + target_field: axonius.network.event.data.swap_free + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.swap_total + tag: convert_event_data_swap_total_to_double + target_field: axonius.network.event.data.swap_total + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.sys_id + tag: rename_event_data_sys_id + target_field: axonius.network.event.data.sys_id + ignore_missing: true + - rename: + field: json.event.data.table_type + tag: rename_event_data_table_type + target_field: axonius.network.event.data.table_type + ignore_missing: true + - rename: + field: json.event.data.tenant_tag + tag: rename_event_data_tenant_tag + target_field: axonius.network.event.data.tenant_tag + ignore_missing: true + - rename: + field: json.event.data.threat_level + tag: rename_event_data_threat_level + target_field: axonius.network.event.data.threat_level + ignore_missing: true + - rename: + field: json.event.data.threats + tag: rename_event_data_threats + target_field: axonius.network.event.data.threats + ignore_missing: true + - convert: + field: json.event.data.total + tag: convert_event_data_total_to_long + target_field: axonius.network.event.data.total + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.total_number_of_cores + tag: convert_event_data_total_number_of_cores_to_long + target_field: axonius.network.event.data.total_number_of_cores + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.total_physical_memory + tag: convert_event_data_total_physical_memory_to_double + target_field: axonius.network.event.data.total_physical_memory + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.u_business_owner + tag: rename_event_data_u_business_owner + target_field: axonius.network.event.data.u_business_owner + ignore_missing: true + - append: + field: related.user + tag: append_network_event_data_u_business_owner_into_related_user + value: '{{{axonius.network.event.data.u_business_owner}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.u_business_owner != null + - rename: + field: json.event.data.u_business_unit + tag: rename_event_data_u_business_unit + target_field: axonius.network.event.data.u_business_unit + ignore_missing: true + - convert: + field: json.event.data.uniq_sites_count + tag: convert_event_data_uniq_sites_count_to_long + target_field: axonius.network.event.data.uniq_sites_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.uri + tag: rename_event_data_uri + target_field: axonius.network.event.data.uri + ignore_missing: true + - set: + field: event.url + tag: set_event_url_from_network_event_data_uri + copy_from: axonius.network.event.data.uri + ignore_empty_value: true + - rename: + field: json.event.data.uuid + tag: rename_event_data_uuid + target_field: axonius.network.event.data.uuid + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_network_event_data_uuid + copy_from: axonius.network.event.data.uuid + ignore_empty_value: true + - append: + field: related.hosts + tag: append_network_event_data_uuid_into_related_hosts + value: '{{{axonius.network.event.data.uuid}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.uuid != null + - rename: + field: json.event.data.vendor + tag: rename_event_data_vendor + target_field: axonius.network.event.data.vendor + ignore_missing: true + - convert: + field: json.event.data.virtual_host + tag: convert_event_data_virtual_host_to_boolean + target_field: axonius.network.event.data.virtual_host + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.vm_status + tag: rename_event_data_vm_status + target_field: axonius.network.event.data.vm_status + ignore_missing: true + - rename: + field: json.event.data.vm_type + tag: rename_event_data_vm_type + target_field: axonius.network.event.data.vm_type + ignore_missing: true + - rename: + field: json.event.data.vpn_domain + tag: rename_event_data_vpn_domain + target_field: axonius.network.event.data.vpn_domain + ignore_missing: true + - append: + field: related.hosts + tag: append_network_event_data_vpn_domain_into_related_hosts + value: '{{{axonius.network.event.data.vpn_domain}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.vpn_domain != null + - convert: + field: json.event.data.vpn_is_local + tag: convert_event_data_vpn_is_local_to_boolean + target_field: axonius.network.event.data.vpn_is_local + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.vpn_lifetime + tag: convert_event_data_vpn_lifetime_to_long + target_field: axonius.network.event.data.vpn_lifetime + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.data.vpn_public_ip + tag: convert_event_data_vpn_public_ip_to_ip + target_field: axonius.network.event.data.vpn_public_ip + type: ip + ignore_missing: true + if: ctx.json?.event?.data?.vpn_public_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_network_event_data_vpn_public_ip_into_related_ip + value: '{{{axonius.network.event.data.vpn_public_ip}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.vpn_public_ip != null + - rename: + field: json.event.data.vpn_tunnel_type + tag: rename_event_data_vpn_tunnel_type + target_field: axonius.network.event.data.vpn_tunnel_type + ignore_missing: true + - rename: + field: json.event.data.vpn_type + tag: rename_event_data_vpn_type + target_field: axonius.network.event.data.vpn_type + ignore_missing: true + - rename: + field: json.event.data.z_sys_class_name + tag: rename_event_data_z_sys_class_name + target_field: axonius.network.event.data.z_sys_class_name + ignore_missing: true + - rename: + field: json.event.data.z_table_hierarchy + tag: rename_event_data_z_table_hierarchy + target_field: axonius.network.event.data.z_table_hierarchy + ignore_missing: true + - convert: + field: json.event.data.zoom_ip + tag: convert_event_data_zoom_ip_to_ip + target_field: axonius.network.event.data.zoom_ip + type: ip + ignore_missing: true + if: ctx.json?.event?.data?.zoom_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_network_event_data_zoom_ip_into_related_ip + value: '{{{axonius.network.event.data.zoom_ip}}}' + allow_duplicates: false + if: ctx.axonius?.network?.event?.data?.zoom_ip != null + - rename: + field: json.event.enrichment_type + tag: rename_event_enrichment_type + target_field: axonius.network.event.enrichment_type + ignore_missing: true + - set: + field: vulnerability.enumeration + tag: set_vulnerability_enumeration_from_network_event_enrichment_type + copy_from: axonius.network.event.enrichment_type + ignore_empty_value: true + - rename: + field: json.event.entity + tag: rename_event_entity + target_field: axonius.network.event.entity + ignore_missing: true + - convert: + field: json.event.hidden_for_gui + tag: convert_event_hidden_for_gui_to_boolean + target_field: axonius.network.event.hidden_for_gui + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.name + tag: rename_event_name + target_field: axonius.network.event.name + ignore_missing: true + - rename: + field: json.labels + tag: rename_labels + target_field: axonius.network.labels + ignore_missing: true + - foreach: + field: axonius.network.event.data.cisa_vulnerabilities + tag: foreach_axonius_network_event_data_cisa_vulnerabilities + if: ctx.axonius?.network?.event?.data?.cisa_vulnerabilities instanceof List + processor: + remove: + field: + - _ingest._value.cve_id + - _ingest._value.desc + tag: remove_custom_duplicate_fields_from_axonius_network_event_data_cisa_vulnerabilities + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - foreach: + field: axonius.network.event.data.normalization_reasons + tag: foreach_axonius_network_event_data_normalization_reasons + if: ctx.axonius?.network?.event?.data?.normalization_reasons instanceof List + processor: + remove: + field: _ingest._value.reason + tag: remove_custom_duplicate_fields_from_axonius_network_event_data_normalization_reasons + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - foreach: + field: axonius.network.event.data.plugin_and_severities + tag: foreach_axonius_network_event_data_plugin_and_severities + if: ctx.axonius?.network?.event?.data?.plugin_and_severities instanceof List + processor: + remove: + field: + - _ingest._value.cve + - _ingest._value.severity + tag: remove_custom_duplicate_fields_from_axonius_network_event_data_plugin_and_severities + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network-route.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network-route.yml new file mode 100644 index 00000000000..552629b83a1 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network-route.yml @@ -0,0 +1,323 @@ +--- +description: Pipeline for processing network route logs. +processors: + - rename: + field: json.event.data.devices_axon_ids + tag: rename_event_data_devices_axon_ids + target_field: axonius.network.event.data.devices_axon_ids + ignore_missing: true + - rename: + field: json.event.data.load_balancers_axon_ids + tag: rename_event_data_load_balancers_axon_ids + target_field: axonius.network.event.data.load_balancers_axon_ids + ignore_missing: true + - rename: + field: json.event.data.nat_rules_axon_ids + tag: rename_event_data_nat_rules_axon_ids + target_field: axonius.network.event.data.nat_rules_axon_ids + ignore_missing: true + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_host_ipv4s + if: ctx.json?.event?.data?.route instanceof List + processor: + foreach: + field: _ingest._value.host_ipv4s + tag: foreach_event_data_route_host_ipv4s + ignore_missing: true + processor: + convert: + field: _ingest._value + tag: convert_event_data_route_host_ipv4s_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_is_end_point + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.is_end_point + tag: convert_event_data_route_is_end_point_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_end_point + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_is_entry_point + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.is_entry_point + tag: convert_event_data_route_is_entry_point_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_entry_point + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_is_public_facing + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.is_public_facing + tag: convert_event_data_route_is_public_facing_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_public_facing + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_from_destination_integer_ip + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.from_destination_integer_ip + tag: convert_event_data_route_nat_from_destination_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.from_destination_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_from_destination_ip_address + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.from_destination_ip_address + tag: convert_event_data_route_nat_from_destination_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.from_destination_ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_from_destination_ip_address + if: ctx.json?.event?.data?.route instanceof List + processor: + append: + field: destination.nat.ip + tag: append_event_data_route_nat_from_destination_ip_address_into_destination_nat_ip + value: '{{{_ingest._value.nat.from_destination_ip_address}}}' + allow_duplicates: false + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_from_source_integer_ip + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.from_source_integer_ip + tag: convert_event_data_route_nat_from_source_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.from_source_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_from_source_ip_address + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.from_source_ip_address + tag: convert_event_data_route_nat_from_source_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.from_source_ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_from_source_ip_address + if: ctx.json?.event?.data?.route instanceof List + processor: + append: + field: source.nat.ip + tag: append_event_data_route_nat_from_source_ip_address_into_source_nat_ip + value: '{{{_ingest._value.nat.from_source_ip_address}}}' + allow_duplicates: false + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_is_destination_ip_range_public + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.is_destination_ip_range_public + tag: convert_event_data_route_nat_is_destination_ip_range_public_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.is_destination_ip_range_public + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_is_source_ip_range_public + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.is_source_ip_range_public + tag: convert_event_data_route_nat_is_source_ip_range_public_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.is_source_ip_range_public + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_to_destination_integer_ip + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.to_destination_integer_ip + tag: convert_event_data_route_nat_to_destination_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.to_destination_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_to_destination_ip_address + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.to_destination_ip_address + tag: convert_event_data_route_nat_to_destination_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.to_destination_ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_to_source_integer_ip + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.to_source_integer_ip + tag: convert_event_data_route_nat_to_source_integer_ip_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.to_source_integer_ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.route + tag: foreach_event_data_route_nat_to_source_ip_address + if: ctx.json?.event?.data?.route instanceof List + processor: + convert: + field: _ingest._value.nat.to_source_ip_address + tag: convert_event_data_route_nat_to_source_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.nat.to_source_ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.route + tag: rename_event_data_route + target_field: axonius.network.event.data.route + ignore_missing: true + - rename: + field: json.event.data.traffic_direction + tag: rename_event_data_traffic_direction + target_field: axonius.network.event.data.traffic_direction + ignore_missing: true + - rename: + field: json.event.data.urls_axon_ids + tag: rename_event_data_urls_axon_ids + target_field: axonius.network.event.data.urls_axon_ids + ignore_missing: true + - foreach: + field: axonius.network.event.data.route + tag: foreach_axonius_network_event_data_route_/ + if: ctx.axonius?.network?.event?.data?.route instanceof List + processor: + remove: + field: + - _ingest._value.nat.from_destination_ip_address + - _ingest._value.nat.from_source_ip_address + tag: remove_custom_duplicate_fields_from_axonius_network_event_data_route + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network.yml b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network.yml new file mode 100644 index 00000000000..9e303e8cf07 --- /dev/null +++ b/packages/axonius/data_stream/network/elasticsearch/ingest_pipeline/pipeline-network.yml @@ -0,0 +1,271 @@ +--- +description: Pipeline for processing network logs. +processors: + - rename: + field: json.event.data.access + tag: rename_event_data_access + target_field: axonius.network.event.data.access + ignore_missing: true + - rename: + field: json.event.data.cidr_blocks + tag: rename_event_data_cidr_blocks + target_field: axonius.network.event.data.cidr_blocks + ignore_missing: true + - date: + field: json.event.data.creation_time_stamp + tag: date_event_data_creation_time_stamp + target_field: axonius.network.event.data.creation_time_stamp + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + if: ctx.json?.event?.data?.creation_time_stamp != null && ctx.json.event.data.creation_time_stamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created_from_network_event_data_creation_time_stamp + copy_from: axonius.network.event.data.creation_time_stamp + ignore_empty_value: true + - rename: + field: json.event.data.direction + tag: rename_event_data_direction + target_field: axonius.network.event.data.direction + ignore_missing: true + - set: + field: network.direction + tag: set_network_direction_from_network_event_data_direction + copy_from: axonius.network.event.data.direction + ignore_empty_value: true + - lowercase: + field: network.direction + tag: lowercase_network_direction + ignore_missing: true + - rename: + field: json.event.data.location + tag: rename_event_data_location + target_field: axonius.network.event.data.location + ignore_missing: true + - set: + field: host.geo.city_name + tag: set_host_geo_city_name_from_network_event_data_location + copy_from: axonius.network.event.data.location + ignore_empty_value: true + - convert: + field: json.event.data.mtu + tag: convert_event_data_mtu_to_long + target_field: axonius.network.event.data.mtu + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.network_firewall_policy + tag: rename_event_data_network_firewall_policy + target_field: axonius.network.event.data.network_firewall_policy + ignore_missing: true + - foreach: + field: json.event.data.peerings + tag: foreach_event_data_peerings_exchange_subnet_routes + if: ctx.json?.event?.data?.peerings instanceof List + processor: + convert: + field: _ingest._value.exchange_subnet_routes + tag: convert_event_data_peerings_exchange_subnet_routes_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.exchange_subnet_routes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.peerings + tag: foreach_event_data_peerings_export_custom_routes + if: ctx.json?.event?.data?.peerings instanceof List + processor: + convert: + field: _ingest._value.export_custom_routes + tag: convert_event_data_peerings_export_custom_routes_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.export_custom_routes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.peerings + tag: foreach_event_data_peerings_import_custom_routes + if: ctx.json?.event?.data?.peerings instanceof List + processor: + convert: + field: _ingest._value.import_custom_routes + tag: convert_event_data_peerings_import_custom_routes_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.import_custom_routes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.peerings + tag: foreach_event_data_peerings_peer_mtu + if: ctx.json?.event?.data?.peerings instanceof List + processor: + convert: + field: _ingest._value.peer_mtu + tag: convert_event_data_peerings_peer_mtu_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.peer_mtu + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.peerings + tag: rename_event_data_peerings + target_field: axonius.network.event.data.peerings + ignore_missing: true + - convert: + field: json.event.data.priority + tag: convert_event_data_priority_to_long + target_field: axonius.network.event.data.priority + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.project_id + tag: rename_event_data_project_id + target_field: axonius.network.event.data.project_id + ignore_missing: true + - rename: + field: json.event.data.provisioningState + tag: rename_event_data_provisioningState + target_field: axonius.network.event.data.provisioningState + ignore_missing: true + - rename: + field: json.event.data.routing_mode + tag: rename_event_data_routing_mode + target_field: axonius.network.event.data.routing_mode + ignore_missing: true + - rename: + field: json.event.data.state + tag: rename_event_data_state + target_field: axonius.network.event.data.state + ignore_missing: true + - foreach: + field: json.event.data.subnetworks + tag: foreach_event_data_subnetworks_creation_timestamp + if: ctx.json?.event?.data?.subnetworks instanceof List + processor: + date: + field: _ingest._value.creation_timestamp + tag: date_event_data_subnetworks_creation_timestamp + target_field: _ingest._value.creation_timestamp + formats: + - EEE, dd MMM yyyy HH:mm:ss 'GMT' + - yyyy-MM-dd + - EEE,dd MMM yyyy HH:mm:ss 'GMT' + on_failure: + - remove: + field: _ingest._value.creation_timestamp + ignore_missing: true + - foreach: + field: json.event.data.subnetworks + tag: foreach_event_data_subnetworks_gateway_address + if: ctx.json?.event?.data?.subnetworks instanceof List + processor: + convert: + field: _ingest._value.gateway_address + tag: convert_event_data_subnetworks_gateway_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.gateway_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.subnetworks + tag: foreach_event_data_subnetworks_ip_cidr_range + if: ctx.json?.event?.data?.subnetworks instanceof List + processor: + convert: + field: _ingest._value.ip_cidr_range + tag: convert_event_data_subnetworks_ip_cidr_range_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip_cidr_range + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.event.data.subnetworks + tag: foreach_event_data_subnetworks_private_ip_google_access + if: ctx.json?.event?.data?.subnetworks instanceof List + processor: + convert: + field: _ingest._value.private_ip_google_access + tag: convert_event_data_subnetworks_private_ip_google_access_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.private_ip_google_access + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event.data.subnetworks + tag: rename_event_data_subnetworks + target_field: axonius.network.event.data.subnetworks + ignore_missing: true + - rename: + field: json.event.data.subscription_id + tag: rename_event_data_subscription_id + target_field: axonius.network.event.data.subscription_id + ignore_missing: true + - rename: + field: json.event.data.subscription_name + tag: rename_event_data_subscription_name + target_field: axonius.network.event.data.subscription_name + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/axonius/data_stream/network/fields/base-fields.yml b/packages/axonius/data_stream/network/fields/base-fields.yml new file mode 100644 index 00000000000..ec2fdb020c0 --- /dev/null +++ b/packages/axonius/data_stream/network/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: data_stream.type + external: ecs +- name: event.dataset + type: constant_keyword + external: ecs + value: axonius.network +- name: event.module + type: constant_keyword + external: ecs + value: axonius +- name: '@timestamp' + external: ecs diff --git a/packages/axonius/data_stream/network/fields/beats.yml b/packages/axonius/data_stream/network/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/axonius/data_stream/network/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/axonius/data_stream/network/fields/ecs.yml b/packages/axonius/data_stream/network/fields/ecs.yml new file mode 100644 index 00000000000..e1d89be8ab4 --- /dev/null +++ b/packages/axonius/data_stream/network/fields/ecs.yml @@ -0,0 +1,5 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + external: ecs + type: constant_keyword + value: Axonius diff --git a/packages/axonius/data_stream/network/fields/fields.yml b/packages/axonius/data_stream/network/fields/fields.yml new file mode 100644 index 00000000000..a22269c5b9c --- /dev/null +++ b/packages/axonius/data_stream/network/fields/fields.yml @@ -0,0 +1,1138 @@ +- name: axonius + type: group + fields: + - name: network + type: group + fields: + - name: adapter_list_length + type: long + - name: adapters + type: keyword + - name: asset_type + type: keyword + - name: event + type: group + fields: + - name: accurate_for_datetime + type: date + - name: action_if_exists + type: keyword + - name: adapter_categories + type: keyword + - name: associated_adapter_plugin_name + type: keyword + - name: association_type + type: keyword + - name: client_used + type: keyword + - name: data + type: group + fields: + - name: _keep_hostname_empty + type: boolean + - name: access + type: keyword + - name: accurate_for_datetime + type: date + - name: action + type: keyword + - name: adapter_properties + type: keyword + - name: agent_version + type: keyword + - name: agent_versions + type: group + fields: + - name: adapter_name + type: keyword + - name: agent_version + type: keyword + - name: agent_version_raw + type: keyword + - name: all_associated_email_addresses + type: keyword + - name: allow_nat + type: boolean + - name: anti_malware_agent_status + type: keyword + - name: anti_malware_agent_status_message + type: keyword + - name: anti_malware_state + type: keyword + - name: application_and_account_name + type: keyword + - name: applications + type: keyword + - name: arp_interface + type: keyword + - name: arp_port + type: keyword + - name: arp_status + type: keyword + - name: arp_ttl + type: long + - name: assessed_for_policies + type: boolean + - name: assessed_for_vulnerabilities + type: boolean + - name: asset_entity_info + type: keyword + - name: asset_install_status + type: keyword + - name: asset_tag + type: keyword + - name: asset_type + type: keyword + - name: asset_user_name + type: keyword + - name: associated_device_users + type: group + fields: + - name: internal_axon_id + type: keyword + - name: is_latest_used_user + type: boolean + - name: last_used_departments + type: keyword + - name: last_used_email + type: keyword + - name: last_used_email_domain + type: keyword + - name: last_used_user_manager + type: keyword + - name: associated_saas_applications + type: group + fields: + - name: internal_axon_id + type: keyword + - name: name + type: keyword + - name: axon_id + type: keyword + - name: axonius_instance_name + type: keyword + - name: balanced_integer_ips + type: long + - name: balanced_ips + type: ip + - name: browsers + type: group + fields: + - name: channel + type: keyword + - name: version + type: keyword + - name: category + type: keyword + - name: certificate_expiry_date + type: date + - name: chrome_device_type + type: keyword + - name: cidr_blocks + type: keyword + - name: cisa_vulnerabilities + type: group + fields: + - name: action + type: keyword + - name: added + type: date + - name: cve_id + type: keyword + - name: desc + type: keyword + - name: due_date + type: date + - name: notes + type: keyword + - name: product + type: keyword + - name: used_in_ransomware + type: boolean + - name: vendor + type: keyword + - name: vulnerability_name + type: keyword + - name: class_name + type: keyword + - name: class_title + type: keyword + - name: class_type + type: keyword + - name: cloud_provider_account_id + type: keyword + - name: cmdb_business_applications + type: group + fields: + - name: app_owner + type: keyword + - name: assignment_group + type: keyword + - name: business_criticality + type: keyword + - name: install_status + type: keyword + - name: managed_by + type: keyword + - name: name + type: keyword + - name: number + type: keyword + - name: u_architect + type: keyword + - name: u_availability_criticality + type: keyword + - name: u_confidentiality_criticality + type: keyword + - name: u_crown_jewel + type: boolean + - name: u_integrity_criticality + type: keyword + - name: u_privacy_criticality + type: keyword + - name: color + type: keyword + - name: common_users + type: keyword + - name: company + type: keyword + - name: confidence_level + type: long + - name: connected_assets + type: keyword + - name: connected_devices + type: keyword + - name: cp_type + type: keyword + - name: cpus + type: group + fields: + - name: cores + type: long + - name: ghz + type: double + - name: manufacturer + type: keyword + - name: name + type: keyword + - name: creation_time_stamp + type: date + - name: criticality + type: keyword + - name: custom_risk_owner + type: keyword + - name: data_center + type: keyword + - name: destination + type: keyword + - name: destination_addresses + type: keyword + - name: destination_ips + type: ip + - name: destination_port + type: long + - name: destination_zone + type: keyword + - name: device_group + type: keyword + - name: device_manufacturer + type: keyword + - name: device_serial + type: keyword + - name: device_state + type: keyword + - name: device_type + type: keyword + - name: devices_axon_ids + type: keyword + - name: direction + type: keyword + - name: disk_encryption_configuration + type: keyword + - name: domain + type: keyword + - name: entity_id + type: keyword + - name: environment + type: keyword + - name: epo_host + type: keyword + - name: epo_id + type: keyword + - name: epo_products + type: keyword + - name: excluded_software_cves + type: keyword + - name: external_cloud_account_id + type: keyword + - name: external_ip + type: ip + - name: external_nat_ip + type: ip + - name: fetch_proto + type: keyword + - name: fetch_time + type: date + - name: fields_to_unset + type: keyword + - name: fingerprint + type: keyword + - name: firewall_enabled + type: boolean + - name: firewall_rules + type: keyword + - name: first_fetch_time + type: date + - name: first_seen + type: date + - name: fqdn + type: keyword + - name: free_physical_memory + type: double + - name: from_last_fetch + type: boolean + - name: general + type: group + fields: + - name: extension_name + type: keyword + - name: extension_value + type: keyword + - name: generic_encryption + type: group + fields: + - name: status + type: boolean + - name: ghost + type: boolean + - name: guest_dns_name + type: keyword + - name: guest_family + type: keyword + - name: guest_name + type: keyword + - name: guest_state + type: keyword + - name: hard_drives + type: group + fields: + - name: free_size + type: double + - name: is_encrypted + type: boolean + - name: total_size + type: double + - name: hardware_status + type: keyword + - name: hostname + type: keyword + - name: id + type: keyword + - name: id_raw + type: keyword + - name: in_groups + type: keyword + - name: inbound_rules + type: group + fields: + - name: from_port + type: long + - name: ip_protocol + type: keyword + - name: ip_ranges + type: keyword + - name: to_port + type: long + - name: type + type: keyword + - name: install_status + type: keyword + - name: installed_software + type: group + fields: + - name: generated_cpe + type: keyword + - name: name + type: keyword + - name: name_version + type: keyword + - name: sw_uid + type: keyword + - name: vendor + type: keyword + - name: vendor_publisher + type: keyword + - name: version + type: keyword + - name: version_raw + type: keyword + - name: ip_address_guid + type: keyword + - name: is_authenticated_scan + type: boolean + - name: is_enabled + type: boolean + - name: is_exposing_public_traffic + type: boolean + - name: is_fetched_from_adapter + type: boolean + - name: is_fragile + type: boolean + - name: is_latest_last_seen + type: boolean + - name: is_managed + type: boolean + - name: is_network_infra_device + type: boolean + - name: is_purchased + type: boolean + - name: is_safe + type: boolean + - name: jamf_groups + type: keyword + - name: jamf_groups_detailed + type: group + fields: + - name: group_id + type: keyword + - name: group_name + type: keyword + - name: smart_group + type: boolean + - name: jamf_id + type: keyword + - name: jamf_location + type: group + fields: + - name: building + type: keyword + - name: email_address + type: keyword + - name: phone_number + type: keyword + - name: position + type: keyword + - name: real_name + type: keyword + - name: room + type: long + - name: username + type: keyword + - name: jamf_version + type: keyword + - name: last_agent_import + type: date + - name: last_auth_run + type: date + - name: last_contact_time + type: date + - name: last_enrolled_date_utc + type: date + - name: last_fetch_connection_id + type: keyword + - name: last_fetch_connection_label + type: keyword + - name: last_scan + type: date + - name: last_seen + type: date + - name: last_seen_agents + type: date + - name: last_unauth_run + type: date + - name: last_used_users + type: keyword + - name: last_used_users_departments_association + type: keyword + - name: last_used_users_email_domain_association + type: keyword + - name: last_used_users_internal_axon_id_association + type: keyword + - name: last_used_users_mail_association + type: keyword + - name: last_used_users_user_manager_association + type: keyword + - name: last_used_users_user_manager_mail_association + type: keyword + - name: last_used_users_user_status_association + type: keyword + - name: last_used_users_user_title_association + type: keyword + - name: latest_used_user + type: keyword + - name: latest_used_user_department + type: keyword + - name: latest_used_user_email_domain + type: keyword + - name: latest_used_user_mail + type: keyword + - name: latest_used_user_user_manager + type: keyword + - name: latest_used_user_user_status + type: keyword + - name: latest_used_user_user_title + type: keyword + - name: linked_tickets + type: group + fields: + - name: category + type: keyword + - name: created + type: date + - name: description + type: keyword + - name: display_id + type: keyword + - name: priority + type: keyword + - name: reporter + type: keyword + - name: status + type: keyword + - name: summary + type: keyword + - name: updated + type: date + - name: load_balancers_axon_ids + type: keyword + - name: location + type: keyword + - name: lock + type: keyword + - name: meeting_id + type: keyword + - name: method + type: keyword + - name: microphone + type: keyword + - name: mtu + type: long + - name: name + type: keyword + - name: nat_policy_ips + type: group + fields: + - name: address + type: ip + - name: direction + type: keyword + - name: matched_on + type: keyword + - name: policy_name + type: keyword + - name: rule_num + type: long + - name: uid + type: keyword + - name: nat_rules_axon_ids + type: keyword + - name: nat_translations + type: group + fields: + - name: from_destination_integer_ip + type: long + - name: from_source_integer_ip + type: long + - name: is_destination_ip_range_public + type: boolean + - name: is_source_ip_range_public + type: boolean + - name: to_destination_integer_ip + type: long + - name: to_source_integer_ip + type: long + - name: network + type: keyword + - name: network_firewall_policy + type: keyword + - name: network_interfaces + type: group + fields: + - name: ips + type: keyword + - name: ips_raw + type: long + - name: ips_v4 + type: keyword + - name: ips_v4_raw + type: long + - name: mac + type: keyword + - name: manufacturer + type: keyword + - name: subnets + type: keyword + - name: network_status + type: keyword + - name: network_type + type: keyword + - name: nexpose_id + type: keyword + - name: nexpose_type + type: keyword + - name: node_id + type: keyword + - name: node_name + type: keyword + - name: normalization_reasons + type: group + fields: + - name: calculated_time + type: date + - name: key + type: keyword + - name: original + type: keyword + - name: reason + type: keyword + - name: not_fetched_count + type: long + - name: open_ports + type: group + fields: + - name: port_id + type: keyword + - name: protocol + type: keyword + - name: operational_status + type: keyword + - name: organizational_unit + type: keyword + - name: os + type: group + fields: + - name: codename + type: keyword + - name: distribution + type: keyword + - name: distribution_name + type: keyword + - name: end_of_life + type: date + - name: end_of_support + type: date + - name: is_end_of_life + type: boolean + - name: is_end_of_support + type: boolean + - name: is_latest_os_version + type: boolean + - name: is_windows_server + type: boolean + - name: latest_os_version + type: keyword + - name: major + type: long + - name: minor + type: long + - name: os_cpe + type: keyword + - name: os_dotted + type: keyword + - name: os_dotted_raw + type: long + - name: os_str + type: keyword + - name: type + type: keyword + - name: type_distribution + type: keyword + - name: os_ext_attributes + type: group + fields: + - name: attr_name + type: keyword + - name: data_type + type: keyword + - name: definition_id + type: keyword + - name: ext_description + type: keyword + - name: input_type + type: keyword + - name: is_enabled + type: boolean + - name: is_multivalue + type: boolean + - name: values + type: keyword + - name: owner + type: keyword + - name: paloalto_device_type + type: keyword + - name: part_of_domain + type: boolean + - name: peerings + type: group + fields: + - name: exchange_subnet_routes + type: boolean + - name: export_custom_routes + type: boolean + - name: import_custom_routes + type: boolean + - name: peer_mtu + type: long + - name: state + type: keyword + - name: state_details + type: keyword + - name: physical_location + type: keyword + - name: physical_memory_percentage + type: double + - name: plugin_and_severities + type: group + fields: + - name: cpe + type: keyword + - name: cve + type: keyword + - name: cvss_base_score + type: float + - name: days_seen + type: long + - name: exploit_available + type: boolean + - name: family + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: first_found + type: date + - name: first_seen + type: date + - name: has_been_mitigated + type: boolean + - name: has_patch + type: boolean + - name: last_fixed + type: date + - name: last_found + type: date + - name: last_seen + type: date + - name: mitigated + type: boolean + - name: nessus_instance + type: group + fields: + - name: credentialed_check + type: keyword + - name: display_superseded_patches + type: boolean + - name: experimental_tests + type: boolean + - name: patch_management_checks + type: keyword + - name: plugin_feed_version + type: keyword + - name: report_verbosity + type: long + - name: safe_check + type: boolean + - name: scan_name + type: keyword + - name: scan_policy_used + type: keyword + - name: scan_type + type: keyword + - name: scanner_edition_used + type: keyword + - name: scanner_ip + type: ip + - name: thorough_tests + type: boolean + - name: version + type: keyword + - name: patch_publication_date + type: date + - name: plugin + type: keyword + - name: plugin_id + type: keyword + - name: plugin_id_number + type: keyword + - name: severity + type: keyword + - name: severity_modification_type + type: keyword + - name: solution + type: keyword + - name: state + type: keyword + - name: unsupported_by_vendor + type: boolean + - name: vpr_score + type: float + - name: vuln_state + type: keyword + - name: policy_id + type: keyword + - name: policy_name + type: keyword + - name: pool_members_ips + type: ip + - name: pool_name + type: keyword + - name: power_state + type: keyword + - name: pretty_id + type: keyword + - name: priority + type: long + - name: private_integer_ips + type: long + - name: private_ips + type: ip + - name: project_id + type: keyword + - name: protocol + type: keyword + - name: provisioningState + type: keyword + - name: public_ips + type: ip + - name: ranger_version + type: keyword + - name: raw_hostname + type: keyword + - name: read_only + type: boolean + - name: recording + type: boolean + - name: relatable_ids + type: keyword + - name: related_network_route_ids + type: keyword + - name: relative_path + type: keyword + - name: report_date + type: date + - name: resource_group + type: keyword + - name: risk_level + type: long + - name: risk_level_value + type: keyword + - name: route + type: group + fields: + - name: asset + type: keyword + - name: asset_internal_axon_id + type: keyword + - name: host_ipv4s + type: ip + - name: is_end_point + type: boolean + - name: is_entry_point + type: boolean + - name: is_public_facing + type: boolean + - name: name + type: keyword + - name: nat + type: group + fields: + - name: from_destination_integer_ip + type: long + - name: from_destination_ip_address + type: ip + - name: from_source_integer_ip + type: long + - name: from_source_ip_address + type: ip + - name: is_destination_ip_range_public + type: boolean + - name: is_source_ip_range_public + type: boolean + - name: to_destination_integer_ip + type: long + - name: to_destination_ip_address + type: ip + - name: to_source_integer_ip + type: long + - name: to_source_ip_address + type: ip + - name: order + type: keyword + - name: product_type + type: keyword + - name: vendors + type: keyword + - name: routing_mode + type: keyword + - name: rule_base_type + type: keyword + - name: rule_type + type: keyword + - name: scan_results + type: keyword + - name: scan_results_objs + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: status + type: keyword + - name: scanner + type: boolean + - name: security_updates_last_changed + type: date + - name: security_updates_status + type: keyword + - name: server_type + type: keyword + - name: service + type: keyword + - name: services + type: keyword + - name: severity_critical + type: long + - name: severity_high + type: long + - name: severity_info + type: long + - name: severity_low + type: long + - name: severity_medium + type: long + - name: share_application + type: boolean + - name: share_desktop + type: boolean + - name: share_whiteboard + type: boolean + - name: sip_status + type: boolean + - name: site_name + type: keyword + - name: software_cves + type: group + fields: + - name: axonius_risk_score + type: double + - name: axonius_status + type: keyword + - name: axonius_status_last_update + type: date + - name: custom_software_cves_business_unit + type: keyword + - name: cve_from_sw_analysis + type: boolean + - name: cve_id + type: keyword + - name: cve_list + type: keyword + - name: cve_severity + type: keyword + - name: cve_synopsis + type: keyword + - name: cvss + type: float + - name: cvss2_score + type: float + - name: cvss2_score_num + type: float + - name: cvss3_score + type: float + - name: cvss3_score_num + type: float + - name: cvss4_score + type: float + - name: cvss4_score_num + type: float + - name: cvss_str + type: keyword + - name: cvss_vector + type: keyword + - name: cvss_version + type: keyword + - name: cwe_id + type: keyword + - name: epss + type: group + fields: + - name: creation_date + type: date + - name: cve_id + type: keyword + - name: percentile + type: double + - name: score + type: double + - name: exploitability_score + type: double + - name: first_fetch_time + type: date + - name: hash_id + type: keyword + - name: impact_score + type: double + - name: last_fetch_time + type: date + - name: last_modified_date + type: date + - name: mitigated + type: boolean + - name: msrc + type: group + fields: + - name: creation_date + type: keyword + - name: cve_id + type: keyword + - name: title + type: keyword + - name: nvd_publish_age + type: long + - name: publish_date + type: date + - name: software_name + type: keyword + - name: software_type + type: keyword + - name: software_vendor + type: keyword + - name: software_version + type: keyword + - name: solution_hash_id + type: keyword + - name: version_raw + type: keyword + - name: source_addresses + type: ip + - name: source_application + type: keyword + - name: source_ips + type: ip + - name: source_zone + type: keyword + - name: speaker + type: keyword + - name: special_hint + type: long + - name: special_hint_underscore + type: keyword + - name: state + type: keyword + - name: subnet_tag + type: keyword + - name: subnetworks + type: group + fields: + - name: creation_timestamp + type: date + - name: gateway_address + type: ip + - name: id + type: keyword + - name: ip_cidr_range + type: ip + - name: name + type: keyword + - name: private_ip_google_access + type: boolean + - name: subscription_id + type: keyword + - name: subscription_name + type: keyword + - name: swap_free + type: double + - name: swap_total + type: double + - name: sys_id + type: keyword + - name: table_type + type: keyword + - name: tenant_number + type: keyword + - name: tenant_tag + type: keyword + - name: threat_level + type: keyword + - name: threats + type: keyword + - name: total + type: long + - name: total_number_of_cores + type: long + - name: total_physical_memory + type: double + - name: traffic_direction + type: keyword + - name: type + type: keyword + - name: u_business_owner + type: keyword + - name: u_business_unit + type: keyword + - name: uniq_sites_count + type: long + - name: uri + type: keyword + - name: urls_axon_ids + type: keyword + - name: uuid + type: keyword + - name: vendor + type: keyword + - name: virtual_host + type: boolean + - name: vm_status + type: keyword + - name: vm_type + type: keyword + - name: vpn_domain + type: keyword + - name: vpn_is_local + type: boolean + - name: vpn_lifetime + type: long + - name: vpn_public_ip + type: ip + - name: vpn_tunnel_type + type: keyword + - name: vpn_type + type: keyword + - name: z_sys_class_name + type: keyword + - name: z_table_hierarchy + type: group + fields: + - name: name + type: keyword + - name: zoom_ip + type: ip + - name: enrichment_type + type: keyword + - name: entity + type: keyword + - name: hidden_for_gui + type: boolean + - name: initial_plugin_unique_name + type: keyword + - name: name + type: keyword + - name: plugin_name + type: keyword + - name: plugin_type + type: keyword + - name: plugin_unique_name + type: keyword + - name: quick_id + type: keyword + - name: type + type: keyword + - name: internal_axon_id + type: keyword + - name: labels + type: keyword + - name: transform_unique_id + type: keyword diff --git a/packages/axonius/data_stream/network/fields/is-transform-source-true.yml b/packages/axonius/data_stream/network/fields/is-transform-source-true.yml new file mode 100644 index 00000000000..367ed8d40c6 --- /dev/null +++ b/packages/axonius/data_stream/network/fields/is-transform-source-true.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: 'true' diff --git a/packages/axonius/data_stream/network/lifecycle.yml b/packages/axonius/data_stream/network/lifecycle.yml new file mode 100644 index 00000000000..f7b0d98d5aa --- /dev/null +++ b/packages/axonius/data_stream/network/lifecycle.yml @@ -0,0 +1 @@ +data_retention: '30d' diff --git a/packages/axonius/data_stream/network/manifest.yml b/packages/axonius/data_stream/network/manifest.yml new file mode 100644 index 00000000000..d75212d3016 --- /dev/null +++ b/packages/axonius/data_stream/network/manifest.yml @@ -0,0 +1,72 @@ +title: Network +type: logs +ilm_policy: logs-axonius.network-default_policy +streams: + - input: cel + title: Network + description: Collect Network logs from Axonius. + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Axonius API. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Axonius API. The batch size can range from a minimum of 1 to a maximum of 2000. + default: 2000 + multi: false + required: true + show_user: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + default: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forwarded + - axonius-network + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 5m + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve axonius.network.* fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/axonius/data_stream/network/sample_event.json b/packages/axonius/data_stream/network/sample_event.json new file mode 100644 index 00000000000..88dcfd02503 --- /dev/null +++ b/packages/axonius/data_stream/network/sample_event.json @@ -0,0 +1,106 @@ +{ + "@timestamp": "2025-12-16T00:02:05.000Z", + "agent": { + "ephemeral_id": "6f10dc02-e214-4fe8-aac7-75f2655c9de3", + "id": "2032ce7d-4d83-416e-9228-8e7eddd0c9ac", + "name": "elastic-agent-87669", + "type": "filebeat", + "version": "9.1.3" + }, + "axonius": { + "network": { + "adapter_list_length": 1, + "adapters": "azure_adapter", + "asset_type": "networks", + "event": { + "accurate_for_datetime": "2025-12-16T00:02:05.000Z", + "adapter_categories": "Cloud Infra", + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "2025-12-16T00:02:05.000Z", + "application_and_account_name": "azure/azure-demo", + "connected_assets": "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24", + "direction": "Inbound", + "fetch_time": "2025-12-16T00:02:04.000Z", + "first_fetch_time": "2025-12-14T16:49:34.000Z", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": "2", + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + }, + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "transform_unique_id": "+d3LsTUHSgxeH1GKpDIbo8Oh1Jk=" + } + }, + "data_stream": { + "dataset": "axonius.network", + "namespace": "67215", + "type": "logs" + }, + "ecs": { + "version": "9.2.0" + }, + "elastic_agent": { + "id": "2032ce7d-4d83-416e-9228-8e7eddd0c9ac", + "snapshot": false, + "version": "9.1.3" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "axonius.network", + "ingested": "2025-12-24T10:43:02Z", + "kind": "event", + "module": "axonius", + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "New York City" + } + }, + "input": { + "type": "cel" + }, + "labels": { + "is_transform_source": "true" + }, + "network": { + "direction": "inbound", + "protocol": "udp" + }, + "observer": { + "vendor": "Axonius" + }, + "tags": [ + "preserve_duplicate_custom_fields", + "forwarded", + "axonius-network" + ] +} diff --git a/packages/axonius/docs/README.md b/packages/axonius/docs/README.md new file mode 100644 index 00000000000..2e45b8bc1a4 --- /dev/null +++ b/packages/axonius/docs/README.md @@ -0,0 +1,803 @@ +# Axonius Integration for Elastic + +## Overview + +[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets including devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies. + +This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana. + +### Compatibility +The Axonius integration is compatible with product version **7.0**. + +### How it works +This integration periodically queries the Axonius API to retrieve logs. + +## What data does this integration collect? +This integration collects log messages of the following type: + +- `Network`: Collect details of all identity assets including: + - networks (endpoint: `/api/v2/networks`) + - load_balancers (endpoint: `/api/v2/load_balancers`) + - network_services (endpoint: `/api/v2/network_services`) + - network_devices (endpoint: `/api/v2/network_devices`) + - firewalls (endpoint: `/api/v2/firewalls`) + - nat_rules (endpoint: `/api/v2/nat_rules`) + - network_routes (endpoint: `/api/v2/network_routes`) + +### Supported use cases + +Integrating the Axonius Network Datastream with Elastic SIEM provides centralized visibility into network assets, traffic exposure, and connectivity across the environment. Kibana dashboards surface key insights into network asset status, device states, and routing behavior, helping analysts quickly understand overall network posture and potential exposure points. + +The dashboards present clear breakdowns of assets by protocol, type, category, and operating system, while metrics highlight publicly exposed and unsafe network devices. Tables provide actionable context around top sources, destinations, subnetworks, routes, locations, and vendors, supporting deeper analysis of network dependencies and communication paths. + +These insights help security teams identify network exposure hotspots, detect misconfigurations or risky assets, and streamline network-focused investigations across the organization. + +## What do I need to use this integration? + +### From Elastic + +This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements. + +### From Axonius + +To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential. + +#### Retrieve URL, API Token and API Secret: + +1. Log in to the **Axonius** instance. +2. Your instance URL is your Base **URL**. +3. Navigate to **User Settings > API Key**. +4. Generate an **API Key**. +5. If you do not see the API Key tab in your user settings, follow these steps: + 1. Go to **System Settings** > **User and Role Management** > **Service Accounts**. + 2. Create a Service Account, and then generate an **API Key**. +6. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration. + +**Note:** +To generate or reset an API key, your role must be **Admin**, and you must have **API Access** permissions, which include **API Access Enabled** and **Reset API Key**. + +## How do I deploy this integration? + +This integration supports both Elastic Agentless-based and Agent-based installations. + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Agentless deployment + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. + +For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) + +### Configure + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **Axonius**. +3. Select the **Axonius** integration from the search results. +4. Select **Add Axonius** to add the integration. +5. Enable and configure only the collection methods which you will use. + + * To **Collect logs from Axonius API**, you'll need to: + + - Configure **URL**, **API Key** and **API Secret**. + - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection. + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Dashboard populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **Axonius**, and verify the dashboard information is populated. + +#### Transforms healthy + +1. In the top search bar in Kibana, search for **Transforms**. +2. Select the **Data / Transforms** from the search results. +3. In the search bar, type **axonius**. +4. All transforms from the search results should indicate **Healthy** under the **Health** column. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### Network + +The `network` data stream provides network events from axonius. + +#### network fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| axonius.network.adapter_list_length | | long | +| axonius.network.adapters | | keyword | +| axonius.network.asset_type | | keyword | +| axonius.network.event.accurate_for_datetime | | date | +| axonius.network.event.action_if_exists | | keyword | +| axonius.network.event.adapter_categories | | keyword | +| axonius.network.event.associated_adapter_plugin_name | | keyword | +| axonius.network.event.association_type | | keyword | +| axonius.network.event.client_used | | keyword | +| axonius.network.event.data._keep_hostname_empty | | boolean | +| axonius.network.event.data.access | | keyword | +| axonius.network.event.data.accurate_for_datetime | | date | +| axonius.network.event.data.action | | keyword | +| axonius.network.event.data.adapter_properties | | keyword | +| axonius.network.event.data.agent_version | | keyword | +| axonius.network.event.data.agent_versions.adapter_name | | keyword | +| axonius.network.event.data.agent_versions.agent_version | | keyword | +| axonius.network.event.data.agent_versions.agent_version_raw | | keyword | +| axonius.network.event.data.all_associated_email_addresses | | keyword | +| axonius.network.event.data.allow_nat | | boolean | +| axonius.network.event.data.anti_malware_agent_status | | keyword | +| axonius.network.event.data.anti_malware_agent_status_message | | keyword | +| axonius.network.event.data.anti_malware_state | | keyword | +| axonius.network.event.data.application_and_account_name | | keyword | +| axonius.network.event.data.applications | | keyword | +| axonius.network.event.data.arp_interface | | keyword | +| axonius.network.event.data.arp_port | | keyword | +| axonius.network.event.data.arp_status | | keyword | +| axonius.network.event.data.arp_ttl | | long | +| axonius.network.event.data.assessed_for_policies | | boolean | +| axonius.network.event.data.assessed_for_vulnerabilities | | boolean | +| axonius.network.event.data.asset_entity_info | | keyword | +| axonius.network.event.data.asset_install_status | | keyword | +| axonius.network.event.data.asset_tag | | keyword | +| axonius.network.event.data.asset_type | | keyword | +| axonius.network.event.data.asset_user_name | | keyword | +| axonius.network.event.data.associated_device_users.internal_axon_id | | keyword | +| axonius.network.event.data.associated_device_users.is_latest_used_user | | boolean | +| axonius.network.event.data.associated_device_users.last_used_departments | | keyword | +| axonius.network.event.data.associated_device_users.last_used_email | | keyword | +| axonius.network.event.data.associated_device_users.last_used_email_domain | | keyword | +| axonius.network.event.data.associated_device_users.last_used_user_manager | | keyword | +| axonius.network.event.data.associated_saas_applications.internal_axon_id | | keyword | +| axonius.network.event.data.associated_saas_applications.name | | keyword | +| axonius.network.event.data.axon_id | | keyword | +| axonius.network.event.data.axonius_instance_name | | keyword | +| axonius.network.event.data.balanced_integer_ips | | long | +| axonius.network.event.data.balanced_ips | | ip | +| axonius.network.event.data.browsers.channel | | keyword | +| axonius.network.event.data.browsers.version | | keyword | +| axonius.network.event.data.category | | keyword | +| axonius.network.event.data.certificate_expiry_date | | date | +| axonius.network.event.data.chrome_device_type | | keyword | +| axonius.network.event.data.cidr_blocks | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.action | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.added | | date | +| axonius.network.event.data.cisa_vulnerabilities.cve_id | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.desc | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.due_date | | date | +| axonius.network.event.data.cisa_vulnerabilities.notes | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.product | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.used_in_ransomware | | boolean | +| axonius.network.event.data.cisa_vulnerabilities.vendor | | keyword | +| axonius.network.event.data.cisa_vulnerabilities.vulnerability_name | | keyword | +| axonius.network.event.data.class_name | | keyword | +| axonius.network.event.data.class_title | | keyword | +| axonius.network.event.data.class_type | | keyword | +| axonius.network.event.data.cloud_provider_account_id | | keyword | +| axonius.network.event.data.cmdb_business_applications.app_owner | | keyword | +| axonius.network.event.data.cmdb_business_applications.assignment_group | | keyword | +| axonius.network.event.data.cmdb_business_applications.business_criticality | | keyword | +| axonius.network.event.data.cmdb_business_applications.install_status | | keyword | +| axonius.network.event.data.cmdb_business_applications.managed_by | | keyword | +| axonius.network.event.data.cmdb_business_applications.name | | keyword | +| axonius.network.event.data.cmdb_business_applications.number | | keyword | +| axonius.network.event.data.cmdb_business_applications.u_architect | | keyword | +| axonius.network.event.data.cmdb_business_applications.u_availability_criticality | | keyword | +| axonius.network.event.data.cmdb_business_applications.u_confidentiality_criticality | | keyword | +| axonius.network.event.data.cmdb_business_applications.u_crown_jewel | | boolean | +| axonius.network.event.data.cmdb_business_applications.u_integrity_criticality | | keyword | +| axonius.network.event.data.cmdb_business_applications.u_privacy_criticality | | keyword | +| axonius.network.event.data.color | | keyword | +| axonius.network.event.data.common_users | | keyword | +| axonius.network.event.data.company | | keyword | +| axonius.network.event.data.confidence_level | | long | +| axonius.network.event.data.connected_assets | | keyword | +| axonius.network.event.data.connected_devices | | keyword | +| axonius.network.event.data.cp_type | | keyword | +| axonius.network.event.data.cpus.cores | | long | +| axonius.network.event.data.cpus.ghz | | double | +| axonius.network.event.data.cpus.manufacturer | | keyword | +| axonius.network.event.data.cpus.name | | keyword | +| axonius.network.event.data.creation_time_stamp | | date | +| axonius.network.event.data.criticality | | keyword | +| axonius.network.event.data.custom_risk_owner | | keyword | +| axonius.network.event.data.data_center | | keyword | +| axonius.network.event.data.destination | | keyword | +| axonius.network.event.data.destination_addresses | | keyword | +| axonius.network.event.data.destination_ips | | ip | +| axonius.network.event.data.destination_port | | long | +| axonius.network.event.data.destination_zone | | keyword | +| axonius.network.event.data.device_group | | keyword | +| axonius.network.event.data.device_manufacturer | | keyword | +| axonius.network.event.data.device_serial | | keyword | +| axonius.network.event.data.device_state | | keyword | +| axonius.network.event.data.device_type | | keyword | +| axonius.network.event.data.devices_axon_ids | | keyword | +| axonius.network.event.data.direction | | keyword | +| axonius.network.event.data.disk_encryption_configuration | | keyword | +| axonius.network.event.data.domain | | keyword | +| axonius.network.event.data.entity_id | | keyword | +| axonius.network.event.data.environment | | keyword | +| axonius.network.event.data.epo_host | | keyword | +| axonius.network.event.data.epo_id | | keyword | +| axonius.network.event.data.epo_products | | keyword | +| axonius.network.event.data.excluded_software_cves | | keyword | +| axonius.network.event.data.external_cloud_account_id | | keyword | +| axonius.network.event.data.external_ip | | ip | +| axonius.network.event.data.external_nat_ip | | ip | +| axonius.network.event.data.fetch_proto | | keyword | +| axonius.network.event.data.fetch_time | | date | +| axonius.network.event.data.fields_to_unset | | keyword | +| axonius.network.event.data.fingerprint | | keyword | +| axonius.network.event.data.firewall_enabled | | boolean | +| axonius.network.event.data.firewall_rules | | keyword | +| axonius.network.event.data.first_fetch_time | | date | +| axonius.network.event.data.first_seen | | date | +| axonius.network.event.data.fqdn | | keyword | +| axonius.network.event.data.free_physical_memory | | double | +| axonius.network.event.data.from_last_fetch | | boolean | +| axonius.network.event.data.general.extension_name | | keyword | +| axonius.network.event.data.general.extension_value | | keyword | +| axonius.network.event.data.generic_encryption.status | | boolean | +| axonius.network.event.data.ghost | | boolean | +| axonius.network.event.data.guest_dns_name | | keyword | +| axonius.network.event.data.guest_family | | keyword | +| axonius.network.event.data.guest_name | | keyword | +| axonius.network.event.data.guest_state | | keyword | +| axonius.network.event.data.hard_drives.free_size | | double | +| axonius.network.event.data.hard_drives.is_encrypted | | boolean | +| axonius.network.event.data.hard_drives.total_size | | double | +| axonius.network.event.data.hardware_status | | keyword | +| axonius.network.event.data.hostname | | keyword | +| axonius.network.event.data.id | | keyword | +| axonius.network.event.data.id_raw | | keyword | +| axonius.network.event.data.in_groups | | keyword | +| axonius.network.event.data.inbound_rules.from_port | | long | +| axonius.network.event.data.inbound_rules.ip_protocol | | keyword | +| axonius.network.event.data.inbound_rules.ip_ranges | | keyword | +| axonius.network.event.data.inbound_rules.to_port | | long | +| axonius.network.event.data.inbound_rules.type | | keyword | +| axonius.network.event.data.install_status | | keyword | +| axonius.network.event.data.installed_software.generated_cpe | | keyword | +| axonius.network.event.data.installed_software.name | | keyword | +| axonius.network.event.data.installed_software.name_version | | keyword | +| axonius.network.event.data.installed_software.sw_uid | | keyword | +| axonius.network.event.data.installed_software.vendor | | keyword | +| axonius.network.event.data.installed_software.vendor_publisher | | keyword | +| axonius.network.event.data.installed_software.version | | keyword | +| axonius.network.event.data.installed_software.version_raw | | keyword | +| axonius.network.event.data.ip_address_guid | | keyword | +| axonius.network.event.data.is_authenticated_scan | | boolean | +| axonius.network.event.data.is_enabled | | boolean | +| axonius.network.event.data.is_exposing_public_traffic | | boolean | +| axonius.network.event.data.is_fetched_from_adapter | | boolean | +| axonius.network.event.data.is_fragile | | boolean | +| axonius.network.event.data.is_latest_last_seen | | boolean | +| axonius.network.event.data.is_managed | | boolean | +| axonius.network.event.data.is_network_infra_device | | boolean | +| axonius.network.event.data.is_purchased | | boolean | +| axonius.network.event.data.is_safe | | boolean | +| axonius.network.event.data.jamf_groups | | keyword | +| axonius.network.event.data.jamf_groups_detailed.group_id | | keyword | +| axonius.network.event.data.jamf_groups_detailed.group_name | | keyword | +| axonius.network.event.data.jamf_groups_detailed.smart_group | | boolean | +| axonius.network.event.data.jamf_id | | keyword | +| axonius.network.event.data.jamf_location.building | | keyword | +| axonius.network.event.data.jamf_location.email_address | | keyword | +| axonius.network.event.data.jamf_location.phone_number | | keyword | +| axonius.network.event.data.jamf_location.position | | keyword | +| axonius.network.event.data.jamf_location.real_name | | keyword | +| axonius.network.event.data.jamf_location.room | | long | +| axonius.network.event.data.jamf_location.username | | keyword | +| axonius.network.event.data.jamf_version | | keyword | +| axonius.network.event.data.last_agent_import | | date | +| axonius.network.event.data.last_auth_run | | date | +| axonius.network.event.data.last_contact_time | | date | +| axonius.network.event.data.last_enrolled_date_utc | | date | +| axonius.network.event.data.last_fetch_connection_id | | keyword | +| axonius.network.event.data.last_fetch_connection_label | | keyword | +| axonius.network.event.data.last_scan | | date | +| axonius.network.event.data.last_seen | | date | +| axonius.network.event.data.last_seen_agents | | date | +| axonius.network.event.data.last_unauth_run | | date | +| axonius.network.event.data.last_used_users | | keyword | +| axonius.network.event.data.last_used_users_departments_association | | keyword | +| axonius.network.event.data.last_used_users_email_domain_association | | keyword | +| axonius.network.event.data.last_used_users_internal_axon_id_association | | keyword | +| axonius.network.event.data.last_used_users_mail_association | | keyword | +| axonius.network.event.data.last_used_users_user_manager_association | | keyword | +| axonius.network.event.data.last_used_users_user_manager_mail_association | | keyword | +| axonius.network.event.data.last_used_users_user_status_association | | keyword | +| axonius.network.event.data.last_used_users_user_title_association | | keyword | +| axonius.network.event.data.latest_used_user | | keyword | +| axonius.network.event.data.latest_used_user_department | | keyword | +| axonius.network.event.data.latest_used_user_email_domain | | keyword | +| axonius.network.event.data.latest_used_user_mail | | keyword | +| axonius.network.event.data.latest_used_user_user_manager | | keyword | +| axonius.network.event.data.latest_used_user_user_status | | keyword | +| axonius.network.event.data.latest_used_user_user_title | | keyword | +| axonius.network.event.data.linked_tickets.category | | keyword | +| axonius.network.event.data.linked_tickets.created | | date | +| axonius.network.event.data.linked_tickets.description | | keyword | +| axonius.network.event.data.linked_tickets.display_id | | keyword | +| axonius.network.event.data.linked_tickets.priority | | keyword | +| axonius.network.event.data.linked_tickets.reporter | | keyword | +| axonius.network.event.data.linked_tickets.status | | keyword | +| axonius.network.event.data.linked_tickets.summary | | keyword | +| axonius.network.event.data.linked_tickets.updated | | date | +| axonius.network.event.data.load_balancers_axon_ids | | keyword | +| axonius.network.event.data.location | | keyword | +| axonius.network.event.data.lock | | keyword | +| axonius.network.event.data.meeting_id | | keyword | +| axonius.network.event.data.method | | keyword | +| axonius.network.event.data.microphone | | keyword | +| axonius.network.event.data.mtu | | long | +| axonius.network.event.data.name | | keyword | +| axonius.network.event.data.nat_policy_ips.address | | ip | +| axonius.network.event.data.nat_policy_ips.direction | | keyword | +| axonius.network.event.data.nat_policy_ips.matched_on | | keyword | +| axonius.network.event.data.nat_policy_ips.policy_name | | keyword | +| axonius.network.event.data.nat_policy_ips.rule_num | | long | +| axonius.network.event.data.nat_policy_ips.uid | | keyword | +| axonius.network.event.data.nat_rules_axon_ids | | keyword | +| axonius.network.event.data.nat_translations.from_destination_integer_ip | | long | +| axonius.network.event.data.nat_translations.from_source_integer_ip | | long | +| axonius.network.event.data.nat_translations.is_destination_ip_range_public | | boolean | +| axonius.network.event.data.nat_translations.is_source_ip_range_public | | boolean | +| axonius.network.event.data.nat_translations.to_destination_integer_ip | | long | +| axonius.network.event.data.nat_translations.to_source_integer_ip | | long | +| axonius.network.event.data.network | | keyword | +| axonius.network.event.data.network_firewall_policy | | keyword | +| axonius.network.event.data.network_interfaces.ips | | keyword | +| axonius.network.event.data.network_interfaces.ips_raw | | long | +| axonius.network.event.data.network_interfaces.ips_v4 | | keyword | +| axonius.network.event.data.network_interfaces.ips_v4_raw | | long | +| axonius.network.event.data.network_interfaces.mac | | keyword | +| axonius.network.event.data.network_interfaces.manufacturer | | keyword | +| axonius.network.event.data.network_interfaces.subnets | | keyword | +| axonius.network.event.data.network_status | | keyword | +| axonius.network.event.data.network_type | | keyword | +| axonius.network.event.data.nexpose_id | | keyword | +| axonius.network.event.data.nexpose_type | | keyword | +| axonius.network.event.data.node_id | | keyword | +| axonius.network.event.data.node_name | | keyword | +| axonius.network.event.data.normalization_reasons.calculated_time | | date | +| axonius.network.event.data.normalization_reasons.key | | keyword | +| axonius.network.event.data.normalization_reasons.original | | keyword | +| axonius.network.event.data.normalization_reasons.reason | | keyword | +| axonius.network.event.data.not_fetched_count | | long | +| axonius.network.event.data.open_ports.port_id | | keyword | +| axonius.network.event.data.open_ports.protocol | | keyword | +| axonius.network.event.data.operational_status | | keyword | +| axonius.network.event.data.organizational_unit | | keyword | +| axonius.network.event.data.os.codename | | keyword | +| axonius.network.event.data.os.distribution | | keyword | +| axonius.network.event.data.os.distribution_name | | keyword | +| axonius.network.event.data.os.end_of_life | | date | +| axonius.network.event.data.os.end_of_support | | date | +| axonius.network.event.data.os.is_end_of_life | | boolean | +| axonius.network.event.data.os.is_end_of_support | | boolean | +| axonius.network.event.data.os.is_latest_os_version | | boolean | +| axonius.network.event.data.os.is_windows_server | | boolean | +| axonius.network.event.data.os.latest_os_version | | keyword | +| axonius.network.event.data.os.major | | long | +| axonius.network.event.data.os.minor | | long | +| axonius.network.event.data.os.os_cpe | | keyword | +| axonius.network.event.data.os.os_dotted | | keyword | +| axonius.network.event.data.os.os_dotted_raw | | long | +| axonius.network.event.data.os.os_str | | keyword | +| axonius.network.event.data.os.type | | keyword | +| axonius.network.event.data.os.type_distribution | | keyword | +| axonius.network.event.data.os_ext_attributes.attr_name | | keyword | +| axonius.network.event.data.os_ext_attributes.data_type | | keyword | +| axonius.network.event.data.os_ext_attributes.definition_id | | keyword | +| axonius.network.event.data.os_ext_attributes.ext_description | | keyword | +| axonius.network.event.data.os_ext_attributes.input_type | | keyword | +| axonius.network.event.data.os_ext_attributes.is_enabled | | boolean | +| axonius.network.event.data.os_ext_attributes.is_multivalue | | boolean | +| axonius.network.event.data.os_ext_attributes.values | | keyword | +| axonius.network.event.data.owner | | keyword | +| axonius.network.event.data.paloalto_device_type | | keyword | +| axonius.network.event.data.part_of_domain | | boolean | +| axonius.network.event.data.peerings.exchange_subnet_routes | | boolean | +| axonius.network.event.data.peerings.export_custom_routes | | boolean | +| axonius.network.event.data.peerings.import_custom_routes | | boolean | +| axonius.network.event.data.peerings.peer_mtu | | long | +| axonius.network.event.data.peerings.state | | keyword | +| axonius.network.event.data.peerings.state_details | | keyword | +| axonius.network.event.data.physical_location | | keyword | +| axonius.network.event.data.physical_memory_percentage | | double | +| axonius.network.event.data.plugin_and_severities.cpe | | keyword | +| axonius.network.event.data.plugin_and_severities.cve | | keyword | +| axonius.network.event.data.plugin_and_severities.cvss_base_score | | float | +| axonius.network.event.data.plugin_and_severities.days_seen | | long | +| axonius.network.event.data.plugin_and_severities.exploit_available | | boolean | +| axonius.network.event.data.plugin_and_severities.family.id | | keyword | +| axonius.network.event.data.plugin_and_severities.family.name | | keyword | +| axonius.network.event.data.plugin_and_severities.first_found | | date | +| axonius.network.event.data.plugin_and_severities.first_seen | | date | +| axonius.network.event.data.plugin_and_severities.has_been_mitigated | | boolean | +| axonius.network.event.data.plugin_and_severities.has_patch | | boolean | +| axonius.network.event.data.plugin_and_severities.last_fixed | | date | +| axonius.network.event.data.plugin_and_severities.last_found | | date | +| axonius.network.event.data.plugin_and_severities.last_seen | | date | +| axonius.network.event.data.plugin_and_severities.mitigated | | boolean | +| axonius.network.event.data.plugin_and_severities.nessus_instance.credentialed_check | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.display_superseded_patches | | boolean | +| axonius.network.event.data.plugin_and_severities.nessus_instance.experimental_tests | | boolean | +| axonius.network.event.data.plugin_and_severities.nessus_instance.patch_management_checks | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.plugin_feed_version | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.report_verbosity | | long | +| axonius.network.event.data.plugin_and_severities.nessus_instance.safe_check | | boolean | +| axonius.network.event.data.plugin_and_severities.nessus_instance.scan_name | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.scan_policy_used | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.scan_type | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.scanner_edition_used | | keyword | +| axonius.network.event.data.plugin_and_severities.nessus_instance.scanner_ip | | ip | +| axonius.network.event.data.plugin_and_severities.nessus_instance.thorough_tests | | boolean | +| axonius.network.event.data.plugin_and_severities.nessus_instance.version | | keyword | +| axonius.network.event.data.plugin_and_severities.patch_publication_date | | date | +| axonius.network.event.data.plugin_and_severities.plugin | | keyword | +| axonius.network.event.data.plugin_and_severities.plugin_id | | keyword | +| axonius.network.event.data.plugin_and_severities.plugin_id_number | | keyword | +| axonius.network.event.data.plugin_and_severities.severity | | keyword | +| axonius.network.event.data.plugin_and_severities.severity_modification_type | | keyword | +| axonius.network.event.data.plugin_and_severities.solution | | keyword | +| axonius.network.event.data.plugin_and_severities.state | | keyword | +| axonius.network.event.data.plugin_and_severities.unsupported_by_vendor | | boolean | +| axonius.network.event.data.plugin_and_severities.vpr_score | | float | +| axonius.network.event.data.plugin_and_severities.vuln_state | | keyword | +| axonius.network.event.data.policy_id | | keyword | +| axonius.network.event.data.policy_name | | keyword | +| axonius.network.event.data.pool_members_ips | | ip | +| axonius.network.event.data.pool_name | | keyword | +| axonius.network.event.data.power_state | | keyword | +| axonius.network.event.data.pretty_id | | keyword | +| axonius.network.event.data.priority | | long | +| axonius.network.event.data.private_integer_ips | | long | +| axonius.network.event.data.private_ips | | ip | +| axonius.network.event.data.project_id | | keyword | +| axonius.network.event.data.protocol | | keyword | +| axonius.network.event.data.provisioningState | | keyword | +| axonius.network.event.data.public_ips | | ip | +| axonius.network.event.data.ranger_version | | keyword | +| axonius.network.event.data.raw_hostname | | keyword | +| axonius.network.event.data.read_only | | boolean | +| axonius.network.event.data.recording | | boolean | +| axonius.network.event.data.relatable_ids | | keyword | +| axonius.network.event.data.related_network_route_ids | | keyword | +| axonius.network.event.data.relative_path | | keyword | +| axonius.network.event.data.report_date | | date | +| axonius.network.event.data.resource_group | | keyword | +| axonius.network.event.data.risk_level | | long | +| axonius.network.event.data.risk_level_value | | keyword | +| axonius.network.event.data.route.asset | | keyword | +| axonius.network.event.data.route.asset_internal_axon_id | | keyword | +| axonius.network.event.data.route.host_ipv4s | | ip | +| axonius.network.event.data.route.is_end_point | | boolean | +| axonius.network.event.data.route.is_entry_point | | boolean | +| axonius.network.event.data.route.is_public_facing | | boolean | +| axonius.network.event.data.route.name | | keyword | +| axonius.network.event.data.route.nat.from_destination_integer_ip | | long | +| axonius.network.event.data.route.nat.from_destination_ip_address | | ip | +| axonius.network.event.data.route.nat.from_source_integer_ip | | long | +| axonius.network.event.data.route.nat.from_source_ip_address | | ip | +| axonius.network.event.data.route.nat.is_destination_ip_range_public | | boolean | +| axonius.network.event.data.route.nat.is_source_ip_range_public | | boolean | +| axonius.network.event.data.route.nat.to_destination_integer_ip | | long | +| axonius.network.event.data.route.nat.to_destination_ip_address | | ip | +| axonius.network.event.data.route.nat.to_source_integer_ip | | long | +| axonius.network.event.data.route.nat.to_source_ip_address | | ip | +| axonius.network.event.data.route.order | | keyword | +| axonius.network.event.data.route.product_type | | keyword | +| axonius.network.event.data.route.vendors | | keyword | +| axonius.network.event.data.routing_mode | | keyword | +| axonius.network.event.data.rule_base_type | | keyword | +| axonius.network.event.data.rule_type | | keyword | +| axonius.network.event.data.scan_results | | keyword | +| axonius.network.event.data.scan_results_objs.id | | keyword | +| axonius.network.event.data.scan_results_objs.name | | keyword | +| axonius.network.event.data.scan_results_objs.status | | keyword | +| axonius.network.event.data.scanner | | boolean | +| axonius.network.event.data.security_updates_last_changed | | date | +| axonius.network.event.data.security_updates_status | | keyword | +| axonius.network.event.data.server_type | | keyword | +| axonius.network.event.data.service | | keyword | +| axonius.network.event.data.services | | keyword | +| axonius.network.event.data.severity_critical | | long | +| axonius.network.event.data.severity_high | | long | +| axonius.network.event.data.severity_info | | long | +| axonius.network.event.data.severity_low | | long | +| axonius.network.event.data.severity_medium | | long | +| axonius.network.event.data.share_application | | boolean | +| axonius.network.event.data.share_desktop | | boolean | +| axonius.network.event.data.share_whiteboard | | boolean | +| axonius.network.event.data.sip_status | | boolean | +| axonius.network.event.data.site_name | | keyword | +| axonius.network.event.data.software_cves.axonius_risk_score | | double | +| axonius.network.event.data.software_cves.axonius_status | | keyword | +| axonius.network.event.data.software_cves.axonius_status_last_update | | date | +| axonius.network.event.data.software_cves.custom_software_cves_business_unit | | keyword | +| axonius.network.event.data.software_cves.cve_from_sw_analysis | | boolean | +| axonius.network.event.data.software_cves.cve_id | | keyword | +| axonius.network.event.data.software_cves.cve_list | | keyword | +| axonius.network.event.data.software_cves.cve_severity | | keyword | +| axonius.network.event.data.software_cves.cve_synopsis | | keyword | +| axonius.network.event.data.software_cves.cvss | | float | +| axonius.network.event.data.software_cves.cvss2_score | | float | +| axonius.network.event.data.software_cves.cvss2_score_num | | float | +| axonius.network.event.data.software_cves.cvss3_score | | float | +| axonius.network.event.data.software_cves.cvss3_score_num | | float | +| axonius.network.event.data.software_cves.cvss4_score | | float | +| axonius.network.event.data.software_cves.cvss4_score_num | | float | +| axonius.network.event.data.software_cves.cvss_str | | keyword | +| axonius.network.event.data.software_cves.cvss_vector | | keyword | +| axonius.network.event.data.software_cves.cvss_version | | keyword | +| axonius.network.event.data.software_cves.cwe_id | | keyword | +| axonius.network.event.data.software_cves.epss.creation_date | | date | +| axonius.network.event.data.software_cves.epss.cve_id | | keyword | +| axonius.network.event.data.software_cves.epss.percentile | | double | +| axonius.network.event.data.software_cves.epss.score | | double | +| axonius.network.event.data.software_cves.exploitability_score | | double | +| axonius.network.event.data.software_cves.first_fetch_time | | date | +| axonius.network.event.data.software_cves.hash_id | | keyword | +| axonius.network.event.data.software_cves.impact_score | | double | +| axonius.network.event.data.software_cves.last_fetch_time | | date | +| axonius.network.event.data.software_cves.last_modified_date | | date | +| axonius.network.event.data.software_cves.mitigated | | boolean | +| axonius.network.event.data.software_cves.msrc.creation_date | | keyword | +| axonius.network.event.data.software_cves.msrc.cve_id | | keyword | +| axonius.network.event.data.software_cves.msrc.title | | keyword | +| axonius.network.event.data.software_cves.nvd_publish_age | | long | +| axonius.network.event.data.software_cves.publish_date | | date | +| axonius.network.event.data.software_cves.software_name | | keyword | +| axonius.network.event.data.software_cves.software_type | | keyword | +| axonius.network.event.data.software_cves.software_vendor | | keyword | +| axonius.network.event.data.software_cves.software_version | | keyword | +| axonius.network.event.data.software_cves.solution_hash_id | | keyword | +| axonius.network.event.data.software_cves.version_raw | | keyword | +| axonius.network.event.data.source_addresses | | ip | +| axonius.network.event.data.source_application | | keyword | +| axonius.network.event.data.source_ips | | ip | +| axonius.network.event.data.source_zone | | keyword | +| axonius.network.event.data.speaker | | keyword | +| axonius.network.event.data.special_hint | | long | +| axonius.network.event.data.special_hint_underscore | | keyword | +| axonius.network.event.data.state | | keyword | +| axonius.network.event.data.subnet_tag | | keyword | +| axonius.network.event.data.subnetworks.creation_timestamp | | date | +| axonius.network.event.data.subnetworks.gateway_address | | ip | +| axonius.network.event.data.subnetworks.id | | keyword | +| axonius.network.event.data.subnetworks.ip_cidr_range | | ip | +| axonius.network.event.data.subnetworks.name | | keyword | +| axonius.network.event.data.subnetworks.private_ip_google_access | | boolean | +| axonius.network.event.data.subscription_id | | keyword | +| axonius.network.event.data.subscription_name | | keyword | +| axonius.network.event.data.swap_free | | double | +| axonius.network.event.data.swap_total | | double | +| axonius.network.event.data.sys_id | | keyword | +| axonius.network.event.data.table_type | | keyword | +| axonius.network.event.data.tenant_number | | keyword | +| axonius.network.event.data.tenant_tag | | keyword | +| axonius.network.event.data.threat_level | | keyword | +| axonius.network.event.data.threats | | keyword | +| axonius.network.event.data.total | | long | +| axonius.network.event.data.total_number_of_cores | | long | +| axonius.network.event.data.total_physical_memory | | double | +| axonius.network.event.data.traffic_direction | | keyword | +| axonius.network.event.data.type | | keyword | +| axonius.network.event.data.u_business_owner | | keyword | +| axonius.network.event.data.u_business_unit | | keyword | +| axonius.network.event.data.uniq_sites_count | | long | +| axonius.network.event.data.uri | | keyword | +| axonius.network.event.data.urls_axon_ids | | keyword | +| axonius.network.event.data.uuid | | keyword | +| axonius.network.event.data.vendor | | keyword | +| axonius.network.event.data.virtual_host | | boolean | +| axonius.network.event.data.vm_status | | keyword | +| axonius.network.event.data.vm_type | | keyword | +| axonius.network.event.data.vpn_domain | | keyword | +| axonius.network.event.data.vpn_is_local | | boolean | +| axonius.network.event.data.vpn_lifetime | | long | +| axonius.network.event.data.vpn_public_ip | | ip | +| axonius.network.event.data.vpn_tunnel_type | | keyword | +| axonius.network.event.data.vpn_type | | keyword | +| axonius.network.event.data.z_sys_class_name | | keyword | +| axonius.network.event.data.z_table_hierarchy.name | | keyword | +| axonius.network.event.data.zoom_ip | | ip | +| axonius.network.event.enrichment_type | | keyword | +| axonius.network.event.entity | | keyword | +| axonius.network.event.hidden_for_gui | | boolean | +| axonius.network.event.initial_plugin_unique_name | | keyword | +| axonius.network.event.name | | keyword | +| axonius.network.event.plugin_name | | keyword | +| axonius.network.event.plugin_type | | keyword | +| axonius.network.event.plugin_unique_name | | keyword | +| axonius.network.event.quick_id | | keyword | +| axonius.network.event.type | | keyword | +| axonius.network.internal_axon_id | | keyword | +| axonius.network.labels | | keyword | +| axonius.network.transform_unique_id | | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword | +| log.offset | Log offset. | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | + + +An example event for `network` looks as following: + +```json +{ + "@timestamp": "2025-12-16T00:02:05.000Z", + "agent": { + "ephemeral_id": "6f10dc02-e214-4fe8-aac7-75f2655c9de3", + "id": "2032ce7d-4d83-416e-9228-8e7eddd0c9ac", + "name": "elastic-agent-87669", + "type": "filebeat", + "version": "9.1.3" + }, + "axonius": { + "network": { + "adapter_list_length": 1, + "adapters": "azure_adapter", + "asset_type": "networks", + "event": { + "accurate_for_datetime": "2025-12-16T00:02:05.000Z", + "adapter_categories": "Cloud Infra", + "client_used": "67fd09ca731ccb5730923106", + "data": { + "access": "Allow", + "accurate_for_datetime": "2025-12-16T00:02:05.000Z", + "application_and_account_name": "azure/azure-demo", + "connected_assets": "subscription_id::64062aef-14a6-42a4-86b1-8a25d0c7cb24", + "direction": "Inbound", + "fetch_time": "2025-12-16T00:02:04.000Z", + "first_fetch_time": "2025-12-14T16:49:34.000Z", + "from_last_fetch": true, + "id": "2142ce3eb735930b68a7", + "id_raw": "912b0b56-fb12-4fe9-8f88-214c6c6b32e5", + "is_fetched_from_adapter": true, + "last_fetch_connection_id": "67fd09ca731ccb5730923106", + "last_fetch_connection_label": "azure-demo", + "location": "New York City", + "name": "FTP-ENABLED-Allowedcb5E-", + "not_fetched_count": 0, + "pretty_id": "AX-1156168648572164619", + "priority": 1937, + "protocol": "UDP", + "provisioningState": "Succeeded", + "source_application": "Azure", + "subscription_id": "b3fa20bb-a9c1-4cb6-80a9-13bcc9d68da5", + "subscription_name": "Microsoft Azure Enterprise", + "tenant_number": "2", + "type": "Networks" + }, + "initial_plugin_unique_name": "azure_adapter_0", + "plugin_name": "azure_adapter", + "plugin_type": "Adapter", + "plugin_unique_name": "azure_adapter_0", + "quick_id": "azure_adapter_0!2142ce3eb735930b68a7", + "type": "entitydata" + }, + "internal_axon_id": "100b89429e965a0bf70a9bae08c4b679", + "transform_unique_id": "+d3LsTUHSgxeH1GKpDIbo8Oh1Jk=" + } + }, + "data_stream": { + "dataset": "axonius.network", + "namespace": "67215", + "type": "logs" + }, + "ecs": { + "version": "9.2.0" + }, + "elastic_agent": { + "id": "2032ce7d-4d83-416e-9228-8e7eddd0c9ac", + "snapshot": false, + "version": "9.1.3" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "axonius.network", + "ingested": "2025-12-24T10:43:02Z", + "kind": "event", + "module": "axonius", + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "New York City" + } + }, + "input": { + "type": "cel" + }, + "labels": { + "is_transform_source": "true" + }, + "network": { + "direction": "inbound", + "protocol": "udp" + }, + "observer": { + "vendor": "Axonius" + }, + "tags": [ + "preserve_duplicate_custom_fields", + "forwarded", + "axonius-network" + ] +} +``` + +### Inputs used + +These inputs can be used with this integration: +
+cel + +## Setup + +For more details about the CEL input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html). + +Before configuring the CEL input, make sure you have: +- Network connectivity to the target API endpoint +- Valid authentication credentials (API keys, tokens, or certificates as required) +- Appropriate permissions to read from the target data source + +### Collecting logs from CEL + +To configure the CEL input, you must specify the `request.url` value pointing to the API endpoint. The interval parameter controls how frequently requests are made and is the primary way to balance data freshness with API rate limits and costs. Authentication is often configured through the `request.headers` section using the appropriate method for the service. + +NOTE: To access the API service, make sure you have the necessary API credentials and that the Filebeat instance can reach the endpoint URL. Some services may require IP whitelisting or VPN access. + +To collect logs via API endpoint, configure the following parameters: + +- API Endpoint URL +- API credentials (tokens, keys, or username/password) +- Request interval (how often to fetch data) +
+ + +### API usage + +These APIs are used with this integration: + +* Network + * networks (endpoint: `/api/v2/networks`) + * load_balancers (endpoint: `/api/v2/load_balancers`) + * network_services (endpoint: `/api/v2/network_services`) + * network_devices (endpoint: `/api/v2/network_devices`) + * firewalls (endpoint: `/api/v2/firewalls`) + * nat_rules (endpoint: `/api/v2/nat_rules`) + * network_routes (endpoint: `/api/v2/network_routes`) + +#### ILM Policy + +To facilitate network data, source data stream-backed indices `.ds-logs-axonius.network-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-axonius.network-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. diff --git a/packages/axonius/elasticsearch/transform/latest_network/fields/base-fields.yml b/packages/axonius/elasticsearch/transform/latest_network/fields/base-fields.yml new file mode 100644 index 00000000000..ec2fdb020c0 --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: data_stream.type + external: ecs +- name: event.dataset + type: constant_keyword + external: ecs + value: axonius.network +- name: event.module + type: constant_keyword + external: ecs + value: axonius +- name: '@timestamp' + external: ecs diff --git a/packages/axonius/elasticsearch/transform/latest_network/fields/beats.yml b/packages/axonius/elasticsearch/transform/latest_network/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/axonius/elasticsearch/transform/latest_network/fields/ecs.yml b/packages/axonius/elasticsearch/transform/latest_network/fields/ecs.yml new file mode 100644 index 00000000000..9e054fd65cc --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/fields/ecs.yml @@ -0,0 +1,96 @@ +- name: agent.ephemeral_id + external: ecs +- name: agent.id + external: ecs +- name: agent.name + external: ecs +- name: agent.type + external: ecs +- name: agent.version + external: ecs +- name: cloud.account.id + external: ecs +- name: destination.nat.ip + external: ecs +- name: destination.port + external: ecs +- name: device.manufacturer + external: ecs +- name: device.serial_number + external: ecs +- name: device.type + external: ecs +- name: ecs.version + external: ecs +- name: error.code + external: ecs +- name: error.id + external: ecs +- name: error.message + external: ecs +- name: event.action + external: ecs +- name: event.category + external: ecs +- name: event.created + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.reason + external: ecs +- name: event.type + external: ecs +- name: event.url + external: ecs +- name: host.domain + external: ecs +- name: host.geo.city_name + external: ecs +- name: host.hostname + external: ecs +- name: host.id + external: ecs +- name: host.name + external: ecs +- name: host.os.family + external: ecs +- name: host.os.full + external: ecs +- name: host.os.type + external: ecs +- name: host.os.version + external: ecs +- name: message + external: ecs +- name: network.direction + external: ecs +- name: network.protocol + external: ecs +- name: observer.vendor + external: ecs + type: constant_keyword + value: Axonius +- name: related.hash + external: ecs +- name: related.hosts + external: ecs +- name: related.ip + external: ecs +- name: related.user + external: ecs +- name: source.address + external: ecs +- name: source.nat.ip + external: ecs +- name: user_agent.version + external: ecs +- name: vulnerability.description + external: ecs +- name: vulnerability.enumeration + external: ecs +- name: vulnerability.id + external: ecs +- name: vulnerability.severity + external: ecs diff --git a/packages/axonius/elasticsearch/transform/latest_network/fields/fields.yml b/packages/axonius/elasticsearch/transform/latest_network/fields/fields.yml new file mode 100644 index 00000000000..a22269c5b9c --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/fields/fields.yml @@ -0,0 +1,1138 @@ +- name: axonius + type: group + fields: + - name: network + type: group + fields: + - name: adapter_list_length + type: long + - name: adapters + type: keyword + - name: asset_type + type: keyword + - name: event + type: group + fields: + - name: accurate_for_datetime + type: date + - name: action_if_exists + type: keyword + - name: adapter_categories + type: keyword + - name: associated_adapter_plugin_name + type: keyword + - name: association_type + type: keyword + - name: client_used + type: keyword + - name: data + type: group + fields: + - name: _keep_hostname_empty + type: boolean + - name: access + type: keyword + - name: accurate_for_datetime + type: date + - name: action + type: keyword + - name: adapter_properties + type: keyword + - name: agent_version + type: keyword + - name: agent_versions + type: group + fields: + - name: adapter_name + type: keyword + - name: agent_version + type: keyword + - name: agent_version_raw + type: keyword + - name: all_associated_email_addresses + type: keyword + - name: allow_nat + type: boolean + - name: anti_malware_agent_status + type: keyword + - name: anti_malware_agent_status_message + type: keyword + - name: anti_malware_state + type: keyword + - name: application_and_account_name + type: keyword + - name: applications + type: keyword + - name: arp_interface + type: keyword + - name: arp_port + type: keyword + - name: arp_status + type: keyword + - name: arp_ttl + type: long + - name: assessed_for_policies + type: boolean + - name: assessed_for_vulnerabilities + type: boolean + - name: asset_entity_info + type: keyword + - name: asset_install_status + type: keyword + - name: asset_tag + type: keyword + - name: asset_type + type: keyword + - name: asset_user_name + type: keyword + - name: associated_device_users + type: group + fields: + - name: internal_axon_id + type: keyword + - name: is_latest_used_user + type: boolean + - name: last_used_departments + type: keyword + - name: last_used_email + type: keyword + - name: last_used_email_domain + type: keyword + - name: last_used_user_manager + type: keyword + - name: associated_saas_applications + type: group + fields: + - name: internal_axon_id + type: keyword + - name: name + type: keyword + - name: axon_id + type: keyword + - name: axonius_instance_name + type: keyword + - name: balanced_integer_ips + type: long + - name: balanced_ips + type: ip + - name: browsers + type: group + fields: + - name: channel + type: keyword + - name: version + type: keyword + - name: category + type: keyword + - name: certificate_expiry_date + type: date + - name: chrome_device_type + type: keyword + - name: cidr_blocks + type: keyword + - name: cisa_vulnerabilities + type: group + fields: + - name: action + type: keyword + - name: added + type: date + - name: cve_id + type: keyword + - name: desc + type: keyword + - name: due_date + type: date + - name: notes + type: keyword + - name: product + type: keyword + - name: used_in_ransomware + type: boolean + - name: vendor + type: keyword + - name: vulnerability_name + type: keyword + - name: class_name + type: keyword + - name: class_title + type: keyword + - name: class_type + type: keyword + - name: cloud_provider_account_id + type: keyword + - name: cmdb_business_applications + type: group + fields: + - name: app_owner + type: keyword + - name: assignment_group + type: keyword + - name: business_criticality + type: keyword + - name: install_status + type: keyword + - name: managed_by + type: keyword + - name: name + type: keyword + - name: number + type: keyword + - name: u_architect + type: keyword + - name: u_availability_criticality + type: keyword + - name: u_confidentiality_criticality + type: keyword + - name: u_crown_jewel + type: boolean + - name: u_integrity_criticality + type: keyword + - name: u_privacy_criticality + type: keyword + - name: color + type: keyword + - name: common_users + type: keyword + - name: company + type: keyword + - name: confidence_level + type: long + - name: connected_assets + type: keyword + - name: connected_devices + type: keyword + - name: cp_type + type: keyword + - name: cpus + type: group + fields: + - name: cores + type: long + - name: ghz + type: double + - name: manufacturer + type: keyword + - name: name + type: keyword + - name: creation_time_stamp + type: date + - name: criticality + type: keyword + - name: custom_risk_owner + type: keyword + - name: data_center + type: keyword + - name: destination + type: keyword + - name: destination_addresses + type: keyword + - name: destination_ips + type: ip + - name: destination_port + type: long + - name: destination_zone + type: keyword + - name: device_group + type: keyword + - name: device_manufacturer + type: keyword + - name: device_serial + type: keyword + - name: device_state + type: keyword + - name: device_type + type: keyword + - name: devices_axon_ids + type: keyword + - name: direction + type: keyword + - name: disk_encryption_configuration + type: keyword + - name: domain + type: keyword + - name: entity_id + type: keyword + - name: environment + type: keyword + - name: epo_host + type: keyword + - name: epo_id + type: keyword + - name: epo_products + type: keyword + - name: excluded_software_cves + type: keyword + - name: external_cloud_account_id + type: keyword + - name: external_ip + type: ip + - name: external_nat_ip + type: ip + - name: fetch_proto + type: keyword + - name: fetch_time + type: date + - name: fields_to_unset + type: keyword + - name: fingerprint + type: keyword + - name: firewall_enabled + type: boolean + - name: firewall_rules + type: keyword + - name: first_fetch_time + type: date + - name: first_seen + type: date + - name: fqdn + type: keyword + - name: free_physical_memory + type: double + - name: from_last_fetch + type: boolean + - name: general + type: group + fields: + - name: extension_name + type: keyword + - name: extension_value + type: keyword + - name: generic_encryption + type: group + fields: + - name: status + type: boolean + - name: ghost + type: boolean + - name: guest_dns_name + type: keyword + - name: guest_family + type: keyword + - name: guest_name + type: keyword + - name: guest_state + type: keyword + - name: hard_drives + type: group + fields: + - name: free_size + type: double + - name: is_encrypted + type: boolean + - name: total_size + type: double + - name: hardware_status + type: keyword + - name: hostname + type: keyword + - name: id + type: keyword + - name: id_raw + type: keyword + - name: in_groups + type: keyword + - name: inbound_rules + type: group + fields: + - name: from_port + type: long + - name: ip_protocol + type: keyword + - name: ip_ranges + type: keyword + - name: to_port + type: long + - name: type + type: keyword + - name: install_status + type: keyword + - name: installed_software + type: group + fields: + - name: generated_cpe + type: keyword + - name: name + type: keyword + - name: name_version + type: keyword + - name: sw_uid + type: keyword + - name: vendor + type: keyword + - name: vendor_publisher + type: keyword + - name: version + type: keyword + - name: version_raw + type: keyword + - name: ip_address_guid + type: keyword + - name: is_authenticated_scan + type: boolean + - name: is_enabled + type: boolean + - name: is_exposing_public_traffic + type: boolean + - name: is_fetched_from_adapter + type: boolean + - name: is_fragile + type: boolean + - name: is_latest_last_seen + type: boolean + - name: is_managed + type: boolean + - name: is_network_infra_device + type: boolean + - name: is_purchased + type: boolean + - name: is_safe + type: boolean + - name: jamf_groups + type: keyword + - name: jamf_groups_detailed + type: group + fields: + - name: group_id + type: keyword + - name: group_name + type: keyword + - name: smart_group + type: boolean + - name: jamf_id + type: keyword + - name: jamf_location + type: group + fields: + - name: building + type: keyword + - name: email_address + type: keyword + - name: phone_number + type: keyword + - name: position + type: keyword + - name: real_name + type: keyword + - name: room + type: long + - name: username + type: keyword + - name: jamf_version + type: keyword + - name: last_agent_import + type: date + - name: last_auth_run + type: date + - name: last_contact_time + type: date + - name: last_enrolled_date_utc + type: date + - name: last_fetch_connection_id + type: keyword + - name: last_fetch_connection_label + type: keyword + - name: last_scan + type: date + - name: last_seen + type: date + - name: last_seen_agents + type: date + - name: last_unauth_run + type: date + - name: last_used_users + type: keyword + - name: last_used_users_departments_association + type: keyword + - name: last_used_users_email_domain_association + type: keyword + - name: last_used_users_internal_axon_id_association + type: keyword + - name: last_used_users_mail_association + type: keyword + - name: last_used_users_user_manager_association + type: keyword + - name: last_used_users_user_manager_mail_association + type: keyword + - name: last_used_users_user_status_association + type: keyword + - name: last_used_users_user_title_association + type: keyword + - name: latest_used_user + type: keyword + - name: latest_used_user_department + type: keyword + - name: latest_used_user_email_domain + type: keyword + - name: latest_used_user_mail + type: keyword + - name: latest_used_user_user_manager + type: keyword + - name: latest_used_user_user_status + type: keyword + - name: latest_used_user_user_title + type: keyword + - name: linked_tickets + type: group + fields: + - name: category + type: keyword + - name: created + type: date + - name: description + type: keyword + - name: display_id + type: keyword + - name: priority + type: keyword + - name: reporter + type: keyword + - name: status + type: keyword + - name: summary + type: keyword + - name: updated + type: date + - name: load_balancers_axon_ids + type: keyword + - name: location + type: keyword + - name: lock + type: keyword + - name: meeting_id + type: keyword + - name: method + type: keyword + - name: microphone + type: keyword + - name: mtu + type: long + - name: name + type: keyword + - name: nat_policy_ips + type: group + fields: + - name: address + type: ip + - name: direction + type: keyword + - name: matched_on + type: keyword + - name: policy_name + type: keyword + - name: rule_num + type: long + - name: uid + type: keyword + - name: nat_rules_axon_ids + type: keyword + - name: nat_translations + type: group + fields: + - name: from_destination_integer_ip + type: long + - name: from_source_integer_ip + type: long + - name: is_destination_ip_range_public + type: boolean + - name: is_source_ip_range_public + type: boolean + - name: to_destination_integer_ip + type: long + - name: to_source_integer_ip + type: long + - name: network + type: keyword + - name: network_firewall_policy + type: keyword + - name: network_interfaces + type: group + fields: + - name: ips + type: keyword + - name: ips_raw + type: long + - name: ips_v4 + type: keyword + - name: ips_v4_raw + type: long + - name: mac + type: keyword + - name: manufacturer + type: keyword + - name: subnets + type: keyword + - name: network_status + type: keyword + - name: network_type + type: keyword + - name: nexpose_id + type: keyword + - name: nexpose_type + type: keyword + - name: node_id + type: keyword + - name: node_name + type: keyword + - name: normalization_reasons + type: group + fields: + - name: calculated_time + type: date + - name: key + type: keyword + - name: original + type: keyword + - name: reason + type: keyword + - name: not_fetched_count + type: long + - name: open_ports + type: group + fields: + - name: port_id + type: keyword + - name: protocol + type: keyword + - name: operational_status + type: keyword + - name: organizational_unit + type: keyword + - name: os + type: group + fields: + - name: codename + type: keyword + - name: distribution + type: keyword + - name: distribution_name + type: keyword + - name: end_of_life + type: date + - name: end_of_support + type: date + - name: is_end_of_life + type: boolean + - name: is_end_of_support + type: boolean + - name: is_latest_os_version + type: boolean + - name: is_windows_server + type: boolean + - name: latest_os_version + type: keyword + - name: major + type: long + - name: minor + type: long + - name: os_cpe + type: keyword + - name: os_dotted + type: keyword + - name: os_dotted_raw + type: long + - name: os_str + type: keyword + - name: type + type: keyword + - name: type_distribution + type: keyword + - name: os_ext_attributes + type: group + fields: + - name: attr_name + type: keyword + - name: data_type + type: keyword + - name: definition_id + type: keyword + - name: ext_description + type: keyword + - name: input_type + type: keyword + - name: is_enabled + type: boolean + - name: is_multivalue + type: boolean + - name: values + type: keyword + - name: owner + type: keyword + - name: paloalto_device_type + type: keyword + - name: part_of_domain + type: boolean + - name: peerings + type: group + fields: + - name: exchange_subnet_routes + type: boolean + - name: export_custom_routes + type: boolean + - name: import_custom_routes + type: boolean + - name: peer_mtu + type: long + - name: state + type: keyword + - name: state_details + type: keyword + - name: physical_location + type: keyword + - name: physical_memory_percentage + type: double + - name: plugin_and_severities + type: group + fields: + - name: cpe + type: keyword + - name: cve + type: keyword + - name: cvss_base_score + type: float + - name: days_seen + type: long + - name: exploit_available + type: boolean + - name: family + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: first_found + type: date + - name: first_seen + type: date + - name: has_been_mitigated + type: boolean + - name: has_patch + type: boolean + - name: last_fixed + type: date + - name: last_found + type: date + - name: last_seen + type: date + - name: mitigated + type: boolean + - name: nessus_instance + type: group + fields: + - name: credentialed_check + type: keyword + - name: display_superseded_patches + type: boolean + - name: experimental_tests + type: boolean + - name: patch_management_checks + type: keyword + - name: plugin_feed_version + type: keyword + - name: report_verbosity + type: long + - name: safe_check + type: boolean + - name: scan_name + type: keyword + - name: scan_policy_used + type: keyword + - name: scan_type + type: keyword + - name: scanner_edition_used + type: keyword + - name: scanner_ip + type: ip + - name: thorough_tests + type: boolean + - name: version + type: keyword + - name: patch_publication_date + type: date + - name: plugin + type: keyword + - name: plugin_id + type: keyword + - name: plugin_id_number + type: keyword + - name: severity + type: keyword + - name: severity_modification_type + type: keyword + - name: solution + type: keyword + - name: state + type: keyword + - name: unsupported_by_vendor + type: boolean + - name: vpr_score + type: float + - name: vuln_state + type: keyword + - name: policy_id + type: keyword + - name: policy_name + type: keyword + - name: pool_members_ips + type: ip + - name: pool_name + type: keyword + - name: power_state + type: keyword + - name: pretty_id + type: keyword + - name: priority + type: long + - name: private_integer_ips + type: long + - name: private_ips + type: ip + - name: project_id + type: keyword + - name: protocol + type: keyword + - name: provisioningState + type: keyword + - name: public_ips + type: ip + - name: ranger_version + type: keyword + - name: raw_hostname + type: keyword + - name: read_only + type: boolean + - name: recording + type: boolean + - name: relatable_ids + type: keyword + - name: related_network_route_ids + type: keyword + - name: relative_path + type: keyword + - name: report_date + type: date + - name: resource_group + type: keyword + - name: risk_level + type: long + - name: risk_level_value + type: keyword + - name: route + type: group + fields: + - name: asset + type: keyword + - name: asset_internal_axon_id + type: keyword + - name: host_ipv4s + type: ip + - name: is_end_point + type: boolean + - name: is_entry_point + type: boolean + - name: is_public_facing + type: boolean + - name: name + type: keyword + - name: nat + type: group + fields: + - name: from_destination_integer_ip + type: long + - name: from_destination_ip_address + type: ip + - name: from_source_integer_ip + type: long + - name: from_source_ip_address + type: ip + - name: is_destination_ip_range_public + type: boolean + - name: is_source_ip_range_public + type: boolean + - name: to_destination_integer_ip + type: long + - name: to_destination_ip_address + type: ip + - name: to_source_integer_ip + type: long + - name: to_source_ip_address + type: ip + - name: order + type: keyword + - name: product_type + type: keyword + - name: vendors + type: keyword + - name: routing_mode + type: keyword + - name: rule_base_type + type: keyword + - name: rule_type + type: keyword + - name: scan_results + type: keyword + - name: scan_results_objs + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: status + type: keyword + - name: scanner + type: boolean + - name: security_updates_last_changed + type: date + - name: security_updates_status + type: keyword + - name: server_type + type: keyword + - name: service + type: keyword + - name: services + type: keyword + - name: severity_critical + type: long + - name: severity_high + type: long + - name: severity_info + type: long + - name: severity_low + type: long + - name: severity_medium + type: long + - name: share_application + type: boolean + - name: share_desktop + type: boolean + - name: share_whiteboard + type: boolean + - name: sip_status + type: boolean + - name: site_name + type: keyword + - name: software_cves + type: group + fields: + - name: axonius_risk_score + type: double + - name: axonius_status + type: keyword + - name: axonius_status_last_update + type: date + - name: custom_software_cves_business_unit + type: keyword + - name: cve_from_sw_analysis + type: boolean + - name: cve_id + type: keyword + - name: cve_list + type: keyword + - name: cve_severity + type: keyword + - name: cve_synopsis + type: keyword + - name: cvss + type: float + - name: cvss2_score + type: float + - name: cvss2_score_num + type: float + - name: cvss3_score + type: float + - name: cvss3_score_num + type: float + - name: cvss4_score + type: float + - name: cvss4_score_num + type: float + - name: cvss_str + type: keyword + - name: cvss_vector + type: keyword + - name: cvss_version + type: keyword + - name: cwe_id + type: keyword + - name: epss + type: group + fields: + - name: creation_date + type: date + - name: cve_id + type: keyword + - name: percentile + type: double + - name: score + type: double + - name: exploitability_score + type: double + - name: first_fetch_time + type: date + - name: hash_id + type: keyword + - name: impact_score + type: double + - name: last_fetch_time + type: date + - name: last_modified_date + type: date + - name: mitigated + type: boolean + - name: msrc + type: group + fields: + - name: creation_date + type: keyword + - name: cve_id + type: keyword + - name: title + type: keyword + - name: nvd_publish_age + type: long + - name: publish_date + type: date + - name: software_name + type: keyword + - name: software_type + type: keyword + - name: software_vendor + type: keyword + - name: software_version + type: keyword + - name: solution_hash_id + type: keyword + - name: version_raw + type: keyword + - name: source_addresses + type: ip + - name: source_application + type: keyword + - name: source_ips + type: ip + - name: source_zone + type: keyword + - name: speaker + type: keyword + - name: special_hint + type: long + - name: special_hint_underscore + type: keyword + - name: state + type: keyword + - name: subnet_tag + type: keyword + - name: subnetworks + type: group + fields: + - name: creation_timestamp + type: date + - name: gateway_address + type: ip + - name: id + type: keyword + - name: ip_cidr_range + type: ip + - name: name + type: keyword + - name: private_ip_google_access + type: boolean + - name: subscription_id + type: keyword + - name: subscription_name + type: keyword + - name: swap_free + type: double + - name: swap_total + type: double + - name: sys_id + type: keyword + - name: table_type + type: keyword + - name: tenant_number + type: keyword + - name: tenant_tag + type: keyword + - name: threat_level + type: keyword + - name: threats + type: keyword + - name: total + type: long + - name: total_number_of_cores + type: long + - name: total_physical_memory + type: double + - name: traffic_direction + type: keyword + - name: type + type: keyword + - name: u_business_owner + type: keyword + - name: u_business_unit + type: keyword + - name: uniq_sites_count + type: long + - name: uri + type: keyword + - name: urls_axon_ids + type: keyword + - name: uuid + type: keyword + - name: vendor + type: keyword + - name: virtual_host + type: boolean + - name: vm_status + type: keyword + - name: vm_type + type: keyword + - name: vpn_domain + type: keyword + - name: vpn_is_local + type: boolean + - name: vpn_lifetime + type: long + - name: vpn_public_ip + type: ip + - name: vpn_tunnel_type + type: keyword + - name: vpn_type + type: keyword + - name: z_sys_class_name + type: keyword + - name: z_table_hierarchy + type: group + fields: + - name: name + type: keyword + - name: zoom_ip + type: ip + - name: enrichment_type + type: keyword + - name: entity + type: keyword + - name: hidden_for_gui + type: boolean + - name: initial_plugin_unique_name + type: keyword + - name: name + type: keyword + - name: plugin_name + type: keyword + - name: plugin_type + type: keyword + - name: plugin_unique_name + type: keyword + - name: quick_id + type: keyword + - name: type + type: keyword + - name: internal_axon_id + type: keyword + - name: labels + type: keyword + - name: transform_unique_id + type: keyword diff --git a/packages/axonius/elasticsearch/transform/latest_network/fields/is-transform-source-false.yml b/packages/axonius/elasticsearch/transform/latest_network/fields/is-transform-source-false.yml new file mode 100644 index 00000000000..759b444efd7 --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/fields/is-transform-source-false.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: 'false' diff --git a/packages/axonius/elasticsearch/transform/latest_network/manifest.yml b/packages/axonius/elasticsearch/transform/latest_network/manifest.yml new file mode 100644 index 00000000000..24e9e926793 --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/manifest.yml @@ -0,0 +1,11 @@ +start: true +destination_index_template: + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/axonius/elasticsearch/transform/latest_network/transform.yml b/packages/axonius/elasticsearch/transform/latest_network/transform.yml new file mode 100644 index 00000000000..08639f255b1 --- /dev/null +++ b/packages/axonius/elasticsearch/transform/latest_network/transform.yml @@ -0,0 +1,37 @@ +# Use of '*' to use all namespaces defined. +source: + index: + - 'logs-axonius.network-*' +dest: + index: 'logs-axonius_latest.dest_network-1' + aliases: + - alias: 'logs-axonius_latest.network' + move_on_creation: true +latest: + unique_key: + - event.dataset + - axonius.network.transform_unique_id + sort: '@timestamp' +description: >- + Latest networks from Axonius. As networks get updated, this transform stores only the latest state of each network asset inside the destination index. Thus the transform's destination index contains only the latest state of the network asset. +frequency: 30s +settings: + # This is required to prevent the transform from clobbering the Fleet-managed mappings. + deduce_mappings: false + unattended: true +sync: + time: + field: 'event.ingested' + # Updated to 120s because of refresh delay in Serverless. With default 60s, + # sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: 'event.ingested' + max_age: 24h +_meta: + managed: false + # Bump this version to delete, reinstall, and restart the transform during + # package installation. + fleet_transform_version: 0.1.0 + run_as_kibana_system: false diff --git a/packages/axonius/img/axonius-logo.svg b/packages/axonius/img/axonius-logo.svg new file mode 100644 index 00000000000..76c63d28c54 --- /dev/null +++ b/packages/axonius/img/axonius-logo.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/packages/axonius/img/axonius-network-dashboard.png b/packages/axonius/img/axonius-network-dashboard.png new file mode 100644 index 00000000000..5369aca5afe Binary files /dev/null and b/packages/axonius/img/axonius-network-dashboard.png differ diff --git a/packages/axonius/kibana/dashboard/axonius-a47bc47d-5f69-473f-92a1-07a79cc71cf8.json b/packages/axonius/kibana/dashboard/axonius-a47bc47d-5f69-473f-92a1-07a79cc71cf8.json new file mode 100644 index 00000000000..7456a9e1d58 --- /dev/null +++ b/packages/axonius/kibana/dashboard/axonius-a47bc47d-5f69-473f-92a1-07a79cc71cf8.json @@ -0,0 +1,4051 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "ctrl-action_if_exists": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "axonius.network.event.action_if_exists", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Action If Exists" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "small" + }, + "ctrl-adapter_categories": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "axonius.network.event.adapter_categories", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Adapter Categories" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "small" + }, + "ctrl-anti_malware_agent_status": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "axonius.network.event.data.anti_malware_agent_status", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Anti Malware Agent Status" + }, + "grow": true, + "order": 4, + "type": "optionsListControl", + "width": "small" + }, + "ctrl-asset_type": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "axonius.network.asset_type", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Asset Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "small" + }, + "ctrl-association_type": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "axonius.network.event.association_type", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Association Type" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "small" + } + }, + "showApplySelections": false + }, + "description": "Dashboard for network logs from Axonius", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "axonius.network" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "axonius.network" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13959481-401e-4ff2-bde5-83e8218790ba", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "13959481-401e-4ff2-bde5-83e8218790ba": { + "columnOrder": [ + "8bdab453-b644-424c-b172-666465cc25f9", + "57d38d19-54f1-4c6a-8ea8-096c8d75f032" + ], + "columns": { + "57d38d19-54f1-4c6a-8ea8-096c8d75f032": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "8bdab453-b644-424c-b172-666465cc25f9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "axonius.network.event.adapter_categories", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "57d38d19-54f1-4c6a-8ea8-096c8d75f032", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.adapter_categories" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "13959481-401e-4ff2-bde5-83e8218790ba", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "57d38d19-54f1-4c6a-8ea8-096c8d75f032" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "8bdab453-b644-424c-b172-666465cc25f9" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "pie-05", + "w": 12, + "x": 48, + "y": 0 + }, + "panelIndex": "pie-05", + "title": "Events by Adapter Categories [Logs Axonius]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5363d7d5-5a4a-4b37-b22e-d93aa296cec6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5363d7d5-5a4a-4b37-b22e-d93aa296cec6": { + "columnOrder": [ + "040f8ec7-0325-4de3-813f-4b2bce21ba62", + "ef250ace-cc27-4d1e-b395-1aa58d88bb32" + ], + "columns": { + "040f8ec7-0325-4de3-813f-4b2bce21ba62": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "axonius.network.event.association_type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ef250ace-cc27-4d1e-b395-1aa58d88bb32", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.association_type" + }, + "ef250ace-cc27-4d1e-b395-1aa58d88bb32": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "5363d7d5-5a4a-4b37-b22e-d93aa296cec6", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "ef250ace-cc27-4d1e-b395-1aa58d88bb32" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "040f8ec7-0325-4de3-813f-4b2bce21ba62" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "pie-06", + "w": 12, + "x": 60, + "y": 0 + }, + "panelIndex": "pie-06", + "title": "Events by Association Type [Logs Axonius]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThis dashboard provides a comprehensive view of Network Assets collected from Axonius.\n\nIt highlights network asset activity and exposure across the environment, giving immediate visibility into how assets communicate and where potential risks exist. Breakdowns by protocol, asset type, rule type, status, and device state help analysts quickly understand how network assets are distributed and identify unsafe or publicly exposed devices.\n\nAdditional views surface key network context such as top adapters, sources, destinations, subnetworks, routes, locations, vendors, and device categories. These perspectives help teams identify network exposure hotspots, assess configuration and routing risks, and prioritize remediation efforts efficiently across the network infrastructure.\n\n**[Integration Page](/app/integrations/detail/axonius)**\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 27, + "i": "9a4f4549-67e6-4e7a-ac4d-787f7958fec4", + "w": 9, + "x": 0, + "y": 0 + }, + "panelIndex": "9a4f4549-67e6-4e7a-ac4d-787f7958fec4", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-beb4cdbd-3988-414b-ae5c-973ada4b376a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "beb4cdbd-3988-414b-ae5c-973ada4b376a": { + "columnOrder": [ + "c9b13189-8d22-4d78-9776-0bb89e541796" + ], + "columns": { + "c9b13189-8d22-4d78-9776-0bb89e541796": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "axonius.network.event.data.is_exposing_public_traffic : true " + }, + "isBucketed": false, + "label": "Count of Assets Exposing Public Traffic", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "beb4cdbd-3988-414b-ae5c-973ada4b376a", + "layerType": "data", + "metricAccessor": "c9b13189-8d22-4d78-9776-0bb89e541796" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 9, + "i": "944933ad-8624-4041-8047-cf90f836e314", + "w": 8, + "x": 17, + "y": 0 + }, + "panelIndex": "944933ad-8624-4041-8047-cf90f836e314", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a8db2fc2-4a74-4850-a5d7-1b024e153d81", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a8db2fc2-4a74-4850-a5d7-1b024e153d81": { + "columnOrder": [ + "6d40e1b3-0dad-403c-8212-6d7eea052c01" + ], + "columns": { + "6d40e1b3-0dad-403c-8212-6d7eea052c01": { + "customLabel": true, + "dataType": "number", + "filter": null, + "isBucketed": false, + "label": "Maximum Cvss Base Score", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "reducedTimeRange": null, + "scale": "ratio", + "sourceField": "axonius.network.event.data.plugin_and_severities.cvss_base_score", + "timeScale": null, + "timeShift": null + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "a8db2fc2-4a74-4850-a5d7-1b024e153d81", + "layerType": "data", + "metricAccessor": "6d40e1b3-0dad-403c-8212-6d7eea052c01" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 9, + "i": "metric-02", + "w": 8, + "x": 25, + "y": 0 + }, + "panelIndex": "metric-02", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4d730a3e-6974-4d5e-bbb0-c7cbf250fade", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4d730a3e-6974-4d5e-bbb0-c7cbf250fade": { + "columnOrder": [ + "135d9c82-8028-49e1-b82f-7c022c635610" + ], + "columns": { + "135d9c82-8028-49e1-b82f-7c022c635610": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Maximum Vpr Score", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "axonius.network.event.data.plugin_and_severities.vpr_score" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "4d730a3e-6974-4d5e-bbb0-c7cbf250fade", + "layerType": "data", + "metricAccessor": "135d9c82-8028-49e1-b82f-7c022c635610" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 9, + "i": "metric-04", + "w": 7, + "x": 33, + "y": 0 + }, + "panelIndex": "metric-04", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-beb4cdbd-3988-414b-ae5c-973ada4b376a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "beb4cdbd-3988-414b-ae5c-973ada4b376a": { + "columnOrder": [ + "c9b13189-8d22-4d78-9776-0bb89e541796" + ], + "columns": { + "c9b13189-8d22-4d78-9776-0bb89e541796": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "axonius.network.event.data.is_safe : false " + }, + "isBucketed": false, + "label": "Unsafe Network Devices", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#CC5642", + "layerId": "beb4cdbd-3988-414b-ae5c-973ada4b376a", + "layerType": "data", + "metricAccessor": "c9b13189-8d22-4d78-9776-0bb89e541796" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 9, + "i": "06e51419-950e-47e6-a939-223d171125b0", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "06e51419-950e-47e6-a939-223d171125b0", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8050a858-4640-4d70-8830-c38e88ec4ce7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8050a858-4640-4d70-8830-c38e88ec4ce7": { + "columnOrder": [ + "b61a9d27-df3e-4256-8b66-d510c8b08f0a" + ], + "columns": { + "b61a9d27-df3e-4256-8b66-d510c8b08f0a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Events", + "operationType": "count", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "8050a858-4640-4d70-8830-c38e88ec4ce7", + "layerType": "data", + "metricAccessor": "b61a9d27-df3e-4256-8b66-d510c8b08f0a" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 9, + "i": "metric-01", + "w": 8, + "x": 9, + "y": 0 + }, + "panelIndex": "metric-01", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ce73c071-4e83-4531-aed0-c10e4e50c151", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "ce73c071-4e83-4531-aed0-c10e4e50c151": { + "columnOrder": [ + "84c244b4-ef4e-4d8d-8145-4f3714471aff", + "6958c55e-cb75-419d-a8f2-71a8022b6f0b", + "08d7bafd-150d-4415-8ca1-bc829630fddf" + ], + "columns": { + "08d7bafd-150d-4415-8ca1-bc829630fddf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "6958c55e-cb75-419d-a8f2-71a8022b6f0b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "84c244b4-ef4e-4d8d-8145-4f3714471aff": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Asset Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "08d7bafd-150d-4415-8ca1-bc829630fddf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 7 + }, + "scale": "ordinal", + "sourceField": "axonius.network.asset_type" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08d7bafd-150d-4415-8ca1-bc829630fddf" + ], + "layerId": "ce73c071-4e83-4531-aed0-c10e4e50c151", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "84c244b4-ef4e-4d8d-8145-4f3714471aff", + "xAccessor": "6958c55e-cb75-419d-a8f2-71a8022b6f0b" + } + ], + "legend": { + "isVisible": true, + "legendStats": [ + "currentAndLastValue" + ], + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "line-01", + "w": 24, + "x": 9, + "y": 9 + }, + "panelIndex": "line-01", + "title": "Events over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1a0ebbd3-9939-4097-93e4-4f64e486e86c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "1a0ebbd3-9939-4097-93e4-4f64e486e86c": { + "columnOrder": [ + "8be6fc6f-9468-4b96-9e8d-51c803225d65", + "ac63e87f-77e9-4032-ab87-4fcdb60c04a1", + "2412c903-8b80-4afb-8711-621f7351d4f6" + ], + "columns": { + "2412c903-8b80-4afb-8711-621f7351d4f6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "8be6fc6f-9468-4b96-9e8d-51c803225d65": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Anti Malware Agent Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2412c903-8b80-4afb-8711-621f7351d4f6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.anti_malware_agent_status" + }, + "ac63e87f-77e9-4032-ab87-4fcdb60c04a1": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2412c903-8b80-4afb-8711-621f7351d4f6" + ], + "layerId": "1a0ebbd3-9939-4097-93e4-4f64e486e86c", + "layerType": "data", + "seriesType": "area_stacked", + "splitAccessor": "8be6fc6f-9468-4b96-9e8d-51c803225d65", + "xAccessor": "ac63e87f-77e9-4032-ab87-4fcdb60c04a1" + } + ], + "legend": { + "isVisible": true, + "legendStats": [ + "currentAndLastValue" + ], + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "line-02", + "w": 33, + "x": 0, + "y": 27 + }, + "panelIndex": "line-02", + "title": "Events by Anti Malware Agent Status over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9cb47ef9-d506-4e82-acf5-d164cdee188b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9cb47ef9-d506-4e82-acf5-d164cdee188b": { + "columnOrder": [ + "986382ad-917a-4c21-a5d4-2c0f8765ac2d", + "0cfb5e2c-010c-4016-b394-d701c633c17d" + ], + "columns": { + "0cfb5e2c-010c-4016-b394-d701c633c17d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "986382ad-917a-4c21-a5d4-2c0f8765ac2d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Status", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0cfb5e2c-010c-4016-b394-d701c633c17d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.status" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "9cb47ef9-d506-4e82-acf5-d164cdee188b", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "0cfb5e2c-010c-4016-b394-d701c633c17d" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "986382ad-917a-4c21-a5d4-2c0f8765ac2d" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "8f04869e-2127-4bfe-b95b-159167c8b717", + "w": 15, + "x": 33, + "y": 9 + }, + "panelIndex": "8f04869e-2127-4bfe-b95b-159167c8b717", + "title": "Assets by Status", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cc302538-a661-4aee-91db-bd20145d6bc0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cc302538-a661-4aee-91db-bd20145d6bc0": { + "columnOrder": [ + "a54ca061-3ec5-4202-92bf-647de917b2aa", + "96885508-53ac-458b-aa19-53eff1d0375f" + ], + "columns": { + "96885508-53ac-458b-aa19-53eff1d0375f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "a54ca061-3ec5-4202-92bf-647de917b2aa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Protocol", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "96885508-53ac-458b-aa19-53eff1d0375f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "cc302538-a661-4aee-91db-bd20145d6bc0", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "96885508-53ac-458b-aa19-53eff1d0375f" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "a54ca061-3ec5-4202-92bf-647de917b2aa" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "1649a7ae-26a9-43c8-9059-1dbb3bb15f33", + "w": 15, + "x": 33, + "y": 27 + }, + "panelIndex": "1649a7ae-26a9-43c8-9059-1dbb3bb15f33", + "title": "Events by Protocol", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e357dafe-052c-486d-aa64-1e9b7782d987": { + "columnOrder": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38", + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "columns": { + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ae6b4795-c903-443f-ae74-b163e9c4be38": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c2288d1-de19-4dd8-be64-8c1881ce6ee2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.os.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "e357dafe-052c-486d-aa64-1e9b7782d987", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "bd9781ec-4b8b-4af0-bc6f-e22a0f6c1979", + "w": 17, + "x": 0, + "y": 42 + }, + "panelIndex": "bd9781ec-4b8b-4af0-bc6f-e22a0f6c1979", + "title": "Assets by Network Device OS Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-156aa35f-6a7c-4851-8e2b-e75136f4d7fb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "156aa35f-6a7c-4851-8e2b-e75136f4d7fb": { + "columnOrder": [ + "9cdc8a3b-0b2c-4dfd-ad64-64b38a4095b1", + "cca9a257-7e98-4ff7-8a6b-16ac86576643" + ], + "columns": { + "9cdc8a3b-0b2c-4dfd-ad64-64b38a4095b1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device State", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cca9a257-7e98-4ff7-8a6b-16ac86576643", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.device_state" + }, + "cca9a257-7e98-4ff7-8a6b-16ac86576643": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "156aa35f-6a7c-4851-8e2b-e75136f4d7fb", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "cca9a257-7e98-4ff7-8a6b-16ac86576643" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "9cdc8a3b-0b2c-4dfd-ad64-64b38a4095b1" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "51107a9d-3a28-40ae-8d7c-1ae69983fcf3", + "w": 16, + "x": 17, + "y": 42 + }, + "panelIndex": "51107a9d-3a28-40ae-8d7c-1ae69983fcf3", + "title": "Network Devices by their State", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26382bb0-ddea-48ad-a287-d39cbc3dbd18", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "26382bb0-ddea-48ad-a287-d39cbc3dbd18": { + "columnOrder": [ + "dca31065-c0d4-499e-aa8b-f0dcaab285e1", + "5c231006-9938-4d83-9cfa-d6fe0adea351" + ], + "columns": { + "5c231006-9938-4d83-9cfa-d6fe0adea351": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "dca31065-c0d4-499e-aa8b-f0dcaab285e1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5c231006-9938-4d83-9cfa-d6fe0adea351", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "26382bb0-ddea-48ad-a287-d39cbc3dbd18", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "5c231006-9938-4d83-9cfa-d6fe0adea351" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "dca31065-c0d4-499e-aa8b-f0dcaab285e1" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "pie-04", + "w": 15, + "x": 33, + "y": 42 + }, + "panelIndex": "pie-04", + "title": "Events by Action", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e357dafe-052c-486d-aa64-1e9b7782d987": { + "columnOrder": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38", + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "columns": { + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ae6b4795-c903-443f-ae74-b163e9c4be38": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Direction", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c2288d1-de19-4dd8-be64-8c1881ce6ee2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.direction" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "e357dafe-052c-486d-aa64-1e9b7782d987", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "8c0d8e2e-81c9-4130-8770-58a5b8d4bf34", + "w": 16, + "x": 17, + "y": 56 + }, + "panelIndex": "8c0d8e2e-81c9-4130-8770-58a5b8d4bf34", + "title": "Networks by Direction", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e357dafe-052c-486d-aa64-1e9b7782d987": { + "columnOrder": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38", + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "columns": { + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ae6b4795-c903-443f-ae74-b163e9c4be38": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c2288d1-de19-4dd8-be64-8c1881ce6ee2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.category" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "e357dafe-052c-486d-aa64-1e9b7782d987", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "e011c75b-06fc-4a44-a26e-52916c505df7", + "w": 15, + "x": 33, + "y": 56 + }, + "panelIndex": "e011c75b-06fc-4a44-a26e-52916c505df7", + "title": "Assets by Network Device Category", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e357dafe-052c-486d-aa64-1e9b7782d987": { + "columnOrder": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38", + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "columns": { + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ae6b4795-c903-443f-ae74-b163e9c4be38": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Routing Mode", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7c2288d1-de19-4dd8-be64-8c1881ce6ee2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.routing_mode" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "e357dafe-052c-486d-aa64-1e9b7782d987", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7c2288d1-de19-4dd8-be64-8c1881ce6ee2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ae6b4795-c903-443f-ae74-b163e9c4be38" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "b16905d3-304b-42f2-bad4-40b1f0a7c44d", + "w": 17, + "x": 0, + "y": 56 + }, + "panelIndex": "b16905d3-304b-42f2-bad4-40b1f0a7c44d", + "title": "Networks by their Routing Mode", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b68303e4-69d9-4bde-973a-3d710669e5a6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b68303e4-69d9-4bde-973a-3d710669e5a6": { + "columnOrder": [ + "820e490b-3e12-438f-baf6-a9f8230929b4", + "5e436920-70c2-4dc4-85f4-bb793495c4e1" + ], + "columns": { + "5e436920-70c2-4dc4-85f4-bb793495c4e1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "820e490b-3e12-438f-baf6-a9f8230929b4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rule Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5e436920-70c2-4dc4-85f4-bb793495c4e1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.rule_type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "5e436920-70c2-4dc4-85f4-bb793495c4e1" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "b68303e4-69d9-4bde-973a-3d710669e5a6", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "820e490b-3e12-438f-baf6-a9f8230929b4" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "60fe4d77-f115-4135-a3ff-047d3e06b7a5", + "w": 24, + "x": 0, + "y": 70 + }, + "panelIndex": "60fe4d77-f115-4135-a3ff-047d3e06b7a5", + "title": "Events by Rule Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d1c14d51-c147-4e66-898b-e36459a88c62", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d1c14d51-c147-4e66-898b-e36459a88c62": { + "columnOrder": [ + "0dbf28f9-bad3-4424-857d-002a96385ea0", + "696e1fac-4a86-4293-bbf2-25795083ab3a" + ], + "columns": { + "0dbf28f9-bad3-4424-857d-002a96385ea0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "696e1fac-4a86-4293-bbf2-25795083ab3a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.type" + }, + "696e1fac-4a86-4293-bbf2-25795083ab3a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "696e1fac-4a86-4293-bbf2-25795083ab3a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "d1c14d51-c147-4e66-898b-e36459a88c62", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "0dbf28f9-bad3-4424-857d-002a96385ea0" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "339b9801-ab41-41ad-9bf8-276094d794c3", + "w": 24, + "x": 24, + "y": 70 + }, + "panelIndex": "339b9801-ab41-41ad-9bf8-276094d794c3", + "title": "Events by Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-786ae894-0b84-44b6-b5b6-7a705f8649e8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "786ae894-0b84-44b6-b5b6-7a705f8649e8": { + "columnOrder": [ + "bbb5cd0c-fe29-401e-8425-781c7a5810d8", + "4db5beb0-72bd-48a0-98d5-007f1ad0e3b2", + "76dbb02d-8cc6-4676-995e-0e54057da21e" + ], + "columns": { + "4db5beb0-72bd-48a0-98d5-007f1ad0e3b2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Source Zone", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.source_zone" + }, + "76dbb02d-8cc6-4676-995e-0e54057da21e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bbb5cd0c-fe29-401e-8425-781c7a5810d8": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source Address", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.source_addresses" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "bbb5cd0c-fe29-401e-8425-781c7a5810d8", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "4db5beb0-72bd-48a0-98d5-007f1ad0e3b2", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "786ae894-0b84-44b6-b5b6-7a705f8649e8", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "932f74dd-a3e8-4765-b931-45c5cd9331b1", + "w": 24, + "x": 24, + "y": 136 + }, + "panelIndex": "932f74dd-a3e8-4765-b931-45c5cd9331b1", + "title": "Top Sources", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-694c4636-9537-44b5-9858-a0d5802e61e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "694c4636-9537-44b5-9858-a0d5802e61e5": { + "columnOrder": [ + "9bdce7ce-0c31-4dd7-bc66-6cc8f5646dac", + "fb927026-6a08-40ed-902d-7f6c2e7d9b9d" + ], + "columns": { + "9bdce7ce-0c31-4dd7-bc66-6cc8f5646dac": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Adapter", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fb927026-6a08-40ed-902d-7f6c2e7d9b9d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.adapters" + }, + "fb927026-6a08-40ed-902d-7f6c2e7d9b9d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "fb927026-6a08-40ed-902d-7f6c2e7d9b9d", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "9bdce7ce-0c31-4dd7-bc66-6cc8f5646dac", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "694c4636-9537-44b5-9858-a0d5802e61e5", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "cf14bc5d-1e8d-4ccf-bf7e-a20399695428", + "w": 24, + "x": 0, + "y": 85 + }, + "panelIndex": "cf14bc5d-1e8d-4ccf-bf7e-a20399695428", + "title": "Top Network Adapters", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c098663a-cc76-42b5-8a7b-b0aead075346", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c098663a-cc76-42b5-8a7b-b0aead075346": { + "columnOrder": [ + "fff6f5f3-6e8e-4aaa-9fa3-b0bc5a7efc05", + "1f420654-8c77-46f4-a357-36b641669b0c" + ], + "columns": { + "1f420654-8c77-46f4-a357-36b641669b0c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "fff6f5f3-6e8e-4aaa-9fa3-b0bc5a7efc05": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1f420654-8c77-46f4-a357-36b641669b0c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.jamf_location.username" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "fff6f5f3-6e8e-4aaa-9fa3-b0bc5a7efc05" + }, + { + "columnId": "1f420654-8c77-46f4-a357-36b641669b0c" + } + ], + "layerId": "c098663a-cc76-42b5-8a7b-b0aead075346", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "bar-01", + "w": 24, + "x": 24, + "y": 85 + }, + "panelIndex": "bar-01", + "title": "Top Username", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8f2a10d0-0596-45e0-bf31-0320fc364b20", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8f2a10d0-0596-45e0-bf31-0320fc364b20": { + "columnOrder": [ + "8ea64d80-7ff9-484e-ba0a-fe0a65881628", + "a23cc880-a361-4414-a090-d7012a055062" + ], + "columns": { + "8ea64d80-7ff9-484e-ba0a-fe0a65881628": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Gateway Address", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a23cc880-a361-4414-a090-d7012a055062", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.subnetworks.gateway_address" + }, + "a23cc880-a361-4414-a090-d7012a055062": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a23cc880-a361-4414-a090-d7012a055062", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "8ea64d80-7ff9-484e-ba0a-fe0a65881628", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "8f2a10d0-0596-45e0-bf31-0320fc364b20", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "44e86071-590a-411a-abaf-e8c54bdac624", + "w": 24, + "x": 24, + "y": 101 + }, + "panelIndex": "44e86071-590a-411a-abaf-e8c54bdac624", + "title": "Top Subnetworks", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-786ae894-0b84-44b6-b5b6-7a705f8649e8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "786ae894-0b84-44b6-b5b6-7a705f8649e8": { + "columnOrder": [ + "bbb5cd0c-fe29-401e-8425-781c7a5810d8", + "76dbb02d-8cc6-4676-995e-0e54057da21e" + ], + "columns": { + "76dbb02d-8cc6-4676-995e-0e54057da21e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bbb5cd0c-fe29-401e-8425-781c7a5810d8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Group", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.device_group" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "bbb5cd0c-fe29-401e-8425-781c7a5810d8", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "786ae894-0b84-44b6-b5b6-7a705f8649e8", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "027d7f85-91cc-402a-99ab-4df8e89ddb0e", + "w": 24, + "x": 0, + "y": 101 + }, + "panelIndex": "027d7f85-91cc-402a-99ab-4df8e89ddb0e", + "title": "Top device Groups", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-786ae894-0b84-44b6-b5b6-7a705f8649e8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "786ae894-0b84-44b6-b5b6-7a705f8649e8": { + "columnOrder": [ + "bbb5cd0c-fe29-401e-8425-781c7a5810d8", + "4db5beb0-72bd-48a0-98d5-007f1ad0e3b2", + "76dbb02d-8cc6-4676-995e-0e54057da21e" + ], + "columns": { + "4db5beb0-72bd-48a0-98d5-007f1ad0e3b2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Destination Zone", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.destination_zone" + }, + "76dbb02d-8cc6-4676-995e-0e54057da21e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bbb5cd0c-fe29-401e-8425-781c7a5810d8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Destination Address", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.destination_addresses" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "76dbb02d-8cc6-4676-995e-0e54057da21e", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "bbb5cd0c-fe29-401e-8425-781c7a5810d8", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "4db5beb0-72bd-48a0-98d5-007f1ad0e3b2", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "786ae894-0b84-44b6-b5b6-7a705f8649e8", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "37b20379-6a40-408d-b7d1-9efca7915d9a", + "w": 24, + "x": 0, + "y": 118 + }, + "panelIndex": "37b20379-6a40-408d-b7d1-9efca7915d9a", + "title": "Top Destinations", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4ad7f131-3639-4e60-b053-236fc8c3201c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4ad7f131-3639-4e60-b053-236fc8c3201c": { + "columnOrder": [ + "4a7fefc4-1944-47bf-b5b2-471f2e27a48f", + "10577d16-17fc-41df-b64f-d9638e21816e" + ], + "columns": { + "10577d16-17fc-41df-b64f-d9638e21816e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "4a7fefc4-1944-47bf-b5b2-471f2e27a48f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Location", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "10577d16-17fc-41df-b64f-d9638e21816e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.geo.city_name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "4a7fefc4-1944-47bf-b5b2-471f2e27a48f" + }, + { + "columnId": "10577d16-17fc-41df-b64f-d9638e21816e" + } + ], + "layerId": "4ad7f131-3639-4e60-b053-236fc8c3201c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "614c00e3-72b5-47d3-8e14-94602d0aae4c", + "w": 23, + "x": 24, + "y": 118 + }, + "panelIndex": "614c00e3-72b5-47d3-8e14-94602d0aae4c", + "title": "Top Network Assets Location", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-974c668f-bd5a-4b4a-a91e-191e0bc6bc84", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "974c668f-bd5a-4b4a-a91e-191e0bc6bc84": { + "columnOrder": [ + "c65260a1-463c-4206-9787-463dc0a8c189", + "b65d8e3f-3886-44a7-a734-a38a3623ed06", + "af581930-eda8-4eeb-873a-b5aa6be3078c", + "77fdd4e3-f6a1-42bf-bb5f-c5c7e230d24e" + ], + "columns": { + "77fdd4e3-f6a1-42bf-bb5f-c5c7e230d24e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "af581930-eda8-4eeb-873a-b5aa6be3078c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "77fdd4e3-f6a1-42bf-bb5f-c5c7e230d24e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.domain" + }, + "b65d8e3f-3886-44a7-a734-a38a3623ed06": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "EPO Host", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "77fdd4e3-f6a1-42bf-bb5f-c5c7e230d24e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "axonius.network.event.data.epo_host" + }, + "c65260a1-463c-4206-9787-463dc0a8c189": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "77fdd4e3-f6a1-42bf-bb5f-c5c7e230d24e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "77fdd4e3-f6a1-42bf-bb5f-c5c7e230d24e", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "c65260a1-463c-4206-9787-463dc0a8c189", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "b65d8e3f-3886-44a7-a734-a38a3623ed06", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "af581930-eda8-4eeb-873a-b5aa6be3078c", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "974c668f-bd5a-4b4a-a91e-191e0bc6bc84", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "d9924234-e730-44b9-8c6c-8786f8a86f63", + "w": 24, + "x": 0, + "y": 136 + }, + "panelIndex": "d9924234-e730-44b9-8c6c-8786f8a86f63", + "title": "Top Host Details", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Axonius] Network", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-16T13:03:33.926Z", + "id": "axonius-a47bc47d-5f69-473f-92a1-07a79cc71cf8", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "pie-05:indexpattern-datasource-layer-13959481-401e-4ff2-bde5-83e8218790ba", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "pie-06:indexpattern-datasource-layer-5363d7d5-5a4a-4b37-b22e-d93aa296cec6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "944933ad-8624-4041-8047-cf90f836e314:indexpattern-datasource-layer-beb4cdbd-3988-414b-ae5c-973ada4b376a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "metric-02:indexpattern-datasource-layer-a8db2fc2-4a74-4850-a5d7-1b024e153d81", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "metric-04:indexpattern-datasource-layer-4d730a3e-6974-4d5e-bbb0-c7cbf250fade", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "06e51419-950e-47e6-a939-223d171125b0:indexpattern-datasource-layer-beb4cdbd-3988-414b-ae5c-973ada4b376a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "metric-01:indexpattern-datasource-layer-8050a858-4640-4d70-8830-c38e88ec4ce7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "line-01:indexpattern-datasource-layer-ce73c071-4e83-4531-aed0-c10e4e50c151", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "line-02:indexpattern-datasource-layer-1a0ebbd3-9939-4097-93e4-4f64e486e86c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8f04869e-2127-4bfe-b95b-159167c8b717:indexpattern-datasource-layer-9cb47ef9-d506-4e82-acf5-d164cdee188b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1649a7ae-26a9-43c8-9059-1dbb3bb15f33:indexpattern-datasource-layer-cc302538-a661-4aee-91db-bd20145d6bc0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bd9781ec-4b8b-4af0-bc6f-e22a0f6c1979:indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "51107a9d-3a28-40ae-8d7c-1ae69983fcf3:indexpattern-datasource-layer-156aa35f-6a7c-4851-8e2b-e75136f4d7fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "pie-04:indexpattern-datasource-layer-26382bb0-ddea-48ad-a287-d39cbc3dbd18", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8c0d8e2e-81c9-4130-8770-58a5b8d4bf34:indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e011c75b-06fc-4a44-a26e-52916c505df7:indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b16905d3-304b-42f2-bad4-40b1f0a7c44d:indexpattern-datasource-layer-e357dafe-052c-486d-aa64-1e9b7782d987", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "60fe4d77-f115-4135-a3ff-047d3e06b7a5:indexpattern-datasource-layer-b68303e4-69d9-4bde-973a-3d710669e5a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "339b9801-ab41-41ad-9bf8-276094d794c3:indexpattern-datasource-layer-d1c14d51-c147-4e66-898b-e36459a88c62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "932f74dd-a3e8-4765-b931-45c5cd9331b1:indexpattern-datasource-layer-786ae894-0b84-44b6-b5b6-7a705f8649e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf14bc5d-1e8d-4ccf-bf7e-a20399695428:indexpattern-datasource-layer-694c4636-9537-44b5-9858-a0d5802e61e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bar-01:indexpattern-datasource-layer-c098663a-cc76-42b5-8a7b-b0aead075346", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44e86071-590a-411a-abaf-e8c54bdac624:indexpattern-datasource-layer-8f2a10d0-0596-45e0-bf31-0320fc364b20", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "027d7f85-91cc-402a-99ab-4df8e89ddb0e:indexpattern-datasource-layer-786ae894-0b84-44b6-b5b6-7a705f8649e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37b20379-6a40-408d-b7d1-9efca7915d9a:indexpattern-datasource-layer-786ae894-0b84-44b6-b5b6-7a705f8649e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "614c00e3-72b5-47d3-8e14-94602d0aae4c:indexpattern-datasource-layer-4ad7f131-3639-4e60-b053-236fc8c3201c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d9924234-e730-44b9-8c6c-8786f8a86f63:indexpattern-datasource-layer-974c668f-bd5a-4b4a-a91e-191e0bc6bc84", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ctrl-asset_type:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ctrl-action_if_exists:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ctrl-association_type:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ctrl-adapter_categories:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ctrl-anti_malware_agent_status:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/axonius/manifest.yml b/packages/axonius/manifest.yml new file mode 100644 index 00000000000..622e66086df --- /dev/null +++ b/packages/axonius/manifest.yml @@ -0,0 +1,102 @@ +format_version: 3.3.2 +name: axonius +title: Axonius +version: 0.1.0 +description: Collect logs from Axonius with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana: + version: ^8.18.0 || ^9.1.0 + elastic: + subscription: basic +screenshots: + - src: /img/axonius-network-dashboard.png + title: Network Assets Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/axonius-logo.svg + title: Axonius Logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: axonius + title: Axonius + description: Collect logs from Axonius. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + inputs: + - type: cel + title: Collect logs from Axonius API + description: Collecting logs via Axonius API. + vars: + - name: url + type: url + title: URL + description: Base URL of the Axonius server. + multi: false + required: true + show_user: true + - name: api_key + type: password + title: API Key + secret: true + description: API key from the Axonius server. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: API Secret + secret: true + description: API secret from the Axonius server. + multi: false + required: true + show_user: true + - name: proxy_url + type: text + title: Proxy URL + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + multi: false + required: false + show_user: false + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/axonius/validation.yml b/packages/axonius/validation.yml new file mode 100644 index 00000000000..b158b062b3f --- /dev/null +++ b/packages/axonius/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboard.